http://wiki.nftables.org/wiki-nftables/api.php?action=feedcontributions&user=Vaclavz&feedformat=atom
nftables wiki - User contributions [en]
2024-03-29T06:08:32Z
User contributions
MediaWiki 1.36.4
http://wiki.nftables.org/wiki-nftables/index.php?title=Quick_reference-nftables_in_10_minutes&diff=392
Quick reference-nftables in 10 minutes
2019-04-16T08:04:34Z
<p>Vaclavz: /* Meta */</p>
<hr />
<div>Find below some basic concepts to know before using nftables.<br />
<br />
'''table''' refers to a container of [[Configuring chains|chains]] with no specific semantics.<br />
<br />
'''chain''' within a [[Configuring tables|table]] refers to a container of [[Simple rule management|rules]].<br />
<br />
'''rule''' refers to an action to be configured within a ''chain''.<br />
<br />
<br />
= nft command line =<br />
<br />
''nft'' is the command line tool in order to interact with nftables at userspace.<br />
<br />
== Tables ==<br />
<br />
'''family''' refers to a one of the following table types: ''ip'', ''arp'', ''ip6'', ''bridge'', ''inet'', ''netdev''.<br />
<br />
<source lang="bash"><br />
% nft list tables [<family>]<br />
% nft list table [<family>] <name> [-n] [-a]<br />
% nft (add | delete | flush) table [<family>] <name><br />
</source><br />
<br />
The argument ''-n'' shows the addresses and other information that uses names in numeric format. The ''-a'' argument is used to display the ''handle''.<br />
<br />
== Chains ==<br />
<br />
'''type''' refers to the kind of chain to be created. Possible types are:<br />
<br />
* ''filter'': Supported by ''arp'', ''bridge'', ''ip'', ''ip6'' and ''inet'' table families.<br />
* ''route'': Mark packets (like mangle for the ''output'' hook, for other hooks use the type ''filter'' instead), supported by ''ip'' and ''ip6''.<br />
* ''nat'': In order to perform Network Address Translation, supported by ''ip'' and ''ip6''.<br />
<br />
'''hook''' refers to an specific stage of the packet while it's being processed through the kernel. More info in [[Netfilter_hooks|Netfilter hooks]].<br />
<br />
* The hooks for ''ip'', ''ip6'' and ''inet'' families are: ''prerouting'', ''input'', ''forward'', ''output'', ''postrouting''.<br />
* The hooks for ''arp'' family are: '' input'', ''output''.<br />
* The ''bridge'' family handles ethernet packets traversing bridge devices.<br />
* The hook for ''netdev'' is: ''ingress''.<br />
<br />
'''priority''' refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: ''NF_IP_PRI_CONNTRACK_DEFRAG (-400)'', ''NF_IP_PRI_RAW (-300)'', ''NF_IP_PRI_SELINUX_FIRST (-225)'', ''NF_IP_PRI_CONNTRACK (-200)'', ''NF_IP_PRI_MANGLE (-150)'', ''NF_IP_PRI_NAT_DST (-100)'', ''NF_IP_PRI_FILTER (0)'', ''NF_IP_PRI_SECURITY (50)'', ''NF_IP_PRI_NAT_SRC (100)'', ''NF_IP_PRI_SELINUX_LAST (225)'', ''NF_IP_PRI_CONNTRACK_HELPER (300)''.<br />
<br />
'''policy''' is the default verdict statement to control the flow in the chain. Possible values are: ''accept'', ''drop'', ''queue'', ''continue'', ''return''.<br />
<br />
<source lang="bash"><br />
% nft (add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ]<br />
% nft (delete | list | flush) chain [<family>] <table> <name><br />
% nft rename chain [<family>] <table> <name> <newname><br />
</source><br />
<br />
== Rules ==<br />
<br />
'''handle''' is an internal number that identifies a certain ''rule''.<br />
<br />
'''position''' is an internal number that is used to insert a ''rule'' before a certain ''handle''.<br />
<br />
<source lang="bash"><br />
% nft add rule [<family>] <table> <chain> <matches> <statements><br />
% nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements><br />
% nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements><br />
% nft delete rule [<family>] <table> <chain> [handle <handle>]<br />
</source><br />
<br />
=== Matches ===<br />
<br />
'''matches''' are clues used to access to certain packet information and create filters according to them.<br />
<br />
==== Ip ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip match<br />
|-<br />
| | ''dscp <value>''<br />
|<br />
|<source lang="bash"><br />
ip dscp cs1<br />
ip dscp != cs1<br />
ip dscp 0x38<br />
ip dscp != 0x20<br />
ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, <br />
af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
ip length 232<br />
ip length != 233<br />
ip length 333-435<br />
ip length != 333-453<br />
ip length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''id <id>''<br />
| IP ID<br />
|<source lang="bash"><br />
ip id 22<br />
ip id != 233<br />
ip id 33-45<br />
ip id != 33-45<br />
ip id { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| Fragmentation offset<br />
|<source lang="bash"><br />
ip frag-off 222<br />
ip frag-off != 233<br />
ip frag-off 33-45<br />
ip frag-off != 33-45<br />
ip frag-off { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''ttl <ttl>''<br />
| Time to live<br />
|<source lang="bash"><br />
ip ttl 0<br />
ip ttl 233<br />
ip ttl 33-55<br />
ip ttl != 45-50<br />
ip ttl { 43, 53, 45 }<br />
ip ttl { 33-55 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| Upper layer protocol<br />
|<source lang="bash"><br />
ip protocol tcp<br />
ip protocol 6<br />
ip protocol != tcp<br />
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
ip checksum 13172<br />
ip checksum 22<br />
ip checksum != 233<br />
ip checksum 33-45<br />
ip checksum != 33-45<br />
ip checksum { 33, 55, 67, 88 }<br />
ip checksum { 33-55 }<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source address<br />
|<source lang="bash"><br />
ip saddr 192.168.2.0/24<br />
ip saddr != 192.168.2.0/24<br />
ip saddr 192.168.3.1 ip daddr 192.168.3.100<br />
ip saddr != 1.1.1.1<br />
ip saddr 1.1.1.1<br />
ip saddr & 0xff == 1<br />
ip saddr & 0.0.0.255 < 0.0.0.127<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination address<br />
|<source lang="bash"><br />
ip daddr 192.168.0.1<br />
ip daddr != 192.168.0.1<br />
ip daddr 192.168.0.1-192.168.0.250<br />
ip daddr 10.0.0.0-10.255.255.255<br />
ip daddr 172.16.0.0-172.31.255.255<br />
ip daddr 192.168.3.1-192.168.4.250<br />
ip daddr != 192.168.0.1-192.168.0.250<br />
ip daddr { 192.168.0.1-192.168.0.250 }<br />
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }<br />
</source><br />
|-<br />
| ''version <version>''<br />
| Ip Header version<br />
|<source lang="bash"><br />
ip version 4<br />
</source><br />
|-<br />
| ''hdrlength <header length>''<br />
| IP header length<br />
|<source lang="bash"><br />
ip hdrlength 0<br />
ip hdrlength 15<br />
</source><br />
|}<br />
<br />
==== Ip6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ip6 match<br />
|-<br />
| ''dscp <value>''<br />
| <br />
|<source lang="bash"><br />
ip6 dscp cs1<br />
ip6 dscp != cs1<br />
ip6 dscp 0x38<br />
ip6 dscp != 0x20<br />
ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}<br />
</source><br />
|-<br />
| ''flowlabel <label>''<br />
| Flow label<br />
|<source lang="bash"><br />
ip6 flowlabel 22<br />
ip6 flowlabel != 233<br />
ip6 flowlabel { 33, 55, 67, 88 }<br />
ip6 flowlabel { 33-55 }<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
ip6 length 232<br />
ip6 length != 233<br />
ip6 length 333-435<br />
ip6 length != 333-453<br />
ip6 length { 333, 553, 673, 838}<br />
</source><br />
|-<br />
| ''nexthdr <header>''<br />
| Next header type (Upper layer protocol number)<br />
|<source lang="bash"><br />
ip6 nexthdr {esp, udp, ah, comp, udplite, tcp, dccp, sctp, icmpv6}<br />
ip6 nexthdr esp<br />
ip6 nexthdr != esp<br />
ip6 nexthdr { 33-44 }<br />
ip6 nexthdr 33-44<br />
ip6 nexthdr != 33-44<br />
</source><br />
|-<br />
| ''hoplimit <hoplimit>''<br />
| Hop limit<br />
|<source lang="bash"><br />
ip6 hoplimit 1<br />
ip6 hoplimit != 233<br />
ip6 hoplimit 33-45<br />
ip6 hoplimit != 33-45<br />
ip6 hoplimit {33, 55, 67, 88}<br />
ip6 hoplimit {33-55}<br />
</source><br />
|-<br />
| ''saddr <ip source address>''<br />
| Source Address<br />
|<source lang="bash"><br />
ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::1234:1234:1234:1234:1234:1234:1234<br />
ip6 saddr ::/64<br />
ip6 saddr ::1 ip6 daddr ::2<br />
</source><br />
|-<br />
| ''daddr <ip destination address>''<br />
| Destination Address<br />
|<source lang="bash"><br />
ip6 daddr 1234:1234:1234:1234:1234:1234:1234:1234<br />
ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234<br />
</source><br />
|-<br />
| ''version <version>''<br />
| IP header version<br />
|<source lang="bash"><br />
ip6 version 6<br />
</source><br />
|}<br />
<br />
<br />
==== Tcp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|tcp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
tcp dport 22<br />
tcp dport != 33-45<br />
tcp dport { 33-55 }<br />
tcp dport {telnet, http, https }<br />
tcp dport vmap { 22 : accept, 23 : drop }<br />
tcp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
tcp sport 22<br />
tcp sport != 33-45<br />
tcp sport { 33, 55, 67, 88}<br />
tcp sport { 33-55}<br />
tcp sport vmap { 25:accept, 28:drop }<br />
tcp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| Sequence number<br />
|<source lang="bash"><br />
tcp sequence 22<br />
tcp sequence != 33-45<br />
</source><br />
|-<br />
| ''ackseq <value>''<br />
| Acknowledgement number<br />
|<source lang="bash"><br />
tcp ackseq 22<br />
tcp ackseq != 33-45<br />
tcp ackseq { 33, 55, 67, 88 }<br />
tcp ackseq { 33-55 }<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| TCP flags<br />
|<source lang="bash"><br />
tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr}<br />
tcp flags cwr<br />
tcp flags != cwr<br />
</source><br />
|-<br />
| ''window <value>''<br />
| Window<br />
|<source lang="bash"><br />
tcp window 22<br />
tcp window != 33-45<br />
tcp window { 33, 55, 67, 88 }<br />
tcp window { 33-55 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| IP header checksum<br />
|<source lang="bash"><br />
tcp checksum 22<br />
tcp checksum != 33-45<br />
tcp checksum { 33, 55, 67, 88 }<br />
tcp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''urgptr <pointer>''<br />
| Urgent pointer<br />
|<source lang="bash"><br />
tcp urgptr 22<br />
tcp urgptr != 33-45<br />
tcp urgptr { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''doff <offset>''<br />
| Data offset<br />
|<source lang="bash"><br />
tcp doff 8<br />
</source><br />
|}<br />
<br />
<br />
==== Udp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udp dport 22<br />
udp dport != 33-45<br />
udp dport { 33-55 }<br />
udp dport {telnet, http, https }<br />
udp dport vmap { 22 : accept, 23 : drop }<br />
udp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udp sport 22<br />
udp sport != 33-45<br />
udp sport { 33, 55, 67, 88}<br />
udp sport { 33-55}<br />
udp sport vmap { 25:accept, 28:drop }<br />
udp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Total packet length<br />
|<source lang="bash"><br />
udp length 6666<br />
udp length != 50-65<br />
udp length { 50, 65 }<br />
udp length { 35-50 }<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| UDP checksum<br />
|<source lang="bash"><br />
udp checksum 22<br />
udp checksum != 33-45<br />
udp checksum { 33, 55, 67, 88 }<br />
udp checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Udplite ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|udplite match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
udplite dport 22<br />
udplite dport != 33-45<br />
udplite dport { 33-55 }<br />
udplite dport {telnet, http, https }<br />
udplite dport vmap { 22 : accept, 23 : drop }<br />
udplite dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
udplite sport 22<br />
udplite sport != 33-45<br />
udplite sport { 33, 55, 67, 88}<br />
udplite sport { 33-55}<br />
udplite sport vmap { 25:accept, 28:drop }<br />
udplite sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
udplite checksum 22<br />
udplite checksum != 33-45<br />
udplite checksum { 33, 55, 67, 88 }<br />
udplite checksum { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Sctp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|sctp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
sctp dport 22<br />
sctp dport != 33-45<br />
sctp dport { 33-55 }<br />
sctp dport {telnet, http, https }<br />
sctp dport vmap { 22 : accept, 23 : drop }<br />
sctp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
sctp sport 22<br />
sctp sport != 33-45<br />
sctp sport { 33, 55, 67, 88}<br />
sctp sport { 33-55}<br />
sctp sport vmap { 25:accept, 28:drop }<br />
sctp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''checksum <checksum>''<br />
| Checksum<br />
|<source lang="bash"><br />
sctp checksum 22<br />
sctp checksum != 33-45<br />
sctp checksum { 33, 55, 67, 88 }<br />
sctp checksum { 33-55 }<br />
</source><br />
|-<br />
| ''vtag <tag>''<br />
| Verification tag<br />
|<source lang="bash"><br />
sctp vtag 22<br />
sctp vtag != 33-45<br />
sctp vtag { 33, 55, 67, 88 }<br />
sctp vtag { 33-55 }<br />
</source><br />
|}<br />
<br />
<br />
==== Dccp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dccp match<br />
|-<br />
| ''dport <destination port>''<br />
| Destination port<br />
|<source lang="bash"><br />
dccp dport 22<br />
dccp dport != 33-45<br />
dccp dport { 33-55 }<br />
dccp dport {telnet, http, https }<br />
dccp dport vmap { 22 : accept, 23 : drop }<br />
dccp dport vmap { 25:accept, 28:drop }<br />
</source><br />
|-<br />
| ''sport < source port>''<br />
| Source port<br />
|<source lang="bash"><br />
dccp sport 22<br />
dccp sport != 33-45<br />
dccp sport { 33, 55, 67, 88}<br />
dccp sport { 33-55}<br />
dccp sport vmap { 25:accept, 28:drop }<br />
dccp sport 1024 tcp dport 22<br />
</source><br />
|-<br />
| ''type <type>''<br />
| Type of packet<br />
|<source lang="bash"><br />
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}<br />
dccp type request<br />
dccp type != request<br />
</source><br />
|}<br />
<br />
<br />
==== Ah ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ah match<br />
|-<br />
| ''hdrlength <length>''<br />
| AH header length<br />
|<source lang="bash"><br />
ah hdrlength 11-23<br />
ah hdrlength != 11-23<br />
ah hdrlength {11, 23, 44 }<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
ah reserved 22<br />
ah reserved != 33-45<br />
ah reserved {23, 100 }<br />
ah reserved { 33-55 }<br />
</source><br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
ah spi 111<br />
ah spi != 111-222<br />
ah spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
ah sequence 123<br />
ah sequence {23, 25, 33}<br />
ah sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Esp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|esp match<br />
|-<br />
| ''spi <value>''<br />
| <br />
|<source lang="bash"><br />
esp spi 111<br />
esp spi != 111-222<br />
esp spi {111, 122 }<br />
</source><br />
|-<br />
| ''sequence <sequence>''<br />
| Sequence Number<br />
|<source lang="bash"><br />
esp sequence 123<br />
esp sequence {23, 25, 33}<br />
esp sequence != 23-33<br />
</source><br />
|}<br />
<br />
<br />
==== Comp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|comp match<br />
|-<br />
| ''nexthdr <protocol>''<br />
| Next header protocol (Upper layer protocol)<br />
|<source lang="bash"><br />
comp nexthdr != esp<br />
comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp}<br />
</source><br />
|-<br />
| ''flags <flags>''<br />
| Flags<br />
|<source lang="bash"><br />
comp flags 0x0<br />
comp flags != 0x33-0x45<br />
comp flags {0x33, 0x55, 0x67, 0x88}<br />
</source><br />
|-<br />
| ''cpi <value>''<br />
| Compression Parameter Index<br />
|<source lang="bash"><br />
comp cpi 22<br />
comp cpi != 33-45<br />
comp cpi {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Icmp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmp match<br />
|-<br />
| ''type <type>''<br />
| ICMP packet type<br />
|<source lang="bash"><br />
icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMP packet code<br />
|<source lang="bash"><br />
icmp code 111<br />
icmp code != 33-55<br />
icmp code { 2, 4, 54, 33, 56}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMP packet checksum<br />
|<source lang="bash"><br />
icmp checksum 12343<br />
icmp checksum != 11-343<br />
icmp checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMP packet id<br />
|<source lang="bash"><br />
icmp id 12343<br />
icmp id != 11-343<br />
icmp id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMP packet sequence<br />
|<source lang="bash"><br />
icmp sequence 12343<br />
icmp sequence != 11-343<br />
icmp sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMP packet mtu<br />
|<source lang="bash"><br />
icmp mtu 12343<br />
icmp mtu != 11-343<br />
icmp mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''gateway <value>''<br />
| ICMP packet gateway<br />
|<source lang="bash"><br />
icmp gateway 12343<br />
icmp gateway != 11-343<br />
icmp gateway { 1111, 222, 343 }<br />
</source><br />
|}<br />
<br />
<br />
==== Icmpv6 ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|icmpv6 match<br />
|-<br />
| ''type <type>''<br />
| ICMPv6 packet type<br />
|<source lang="bash"><br />
icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering}<br />
</source><br />
|-<br />
| ''code <code>''<br />
| ICMPv6 packet code<br />
|<source lang="bash"><br />
icmpv6 code 4<br />
icmpv6 code 3-66<br />
icmpv6 code {5, 6, 7}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| ICMPv6 packet checksum<br />
|<source lang="bash"><br />
icmpv6 checksum 12343<br />
icmpv6 checksum != 11-343<br />
icmpv6 checksum { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''id <value>''<br />
| ICMPv6 packet id<br />
|<source lang="bash"><br />
icmpv6 id 12343<br />
icmpv6 id != 11-343<br />
icmpv6 id { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''sequence <value>''<br />
| ICMPv6 packet sequence<br />
|<source lang="bash"><br />
icmpv6 sequence 12343<br />
icmpv6 sequence != 11-343<br />
icmpv6 sequence { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''mtu <value>''<br />
| ICMPv6 packet mtu<br />
|<source lang="bash"><br />
icmpv6 mtu 12343<br />
icmpv6 mtu != 11-343<br />
icmpv6 mtu { 1111, 222, 343 }<br />
</source><br />
|-<br />
| ''max-delay <value>''<br />
| ICMPv6 packet max delay<br />
|<source lang="bash"><br />
icmpv6 max-delay 33-45<br />
icmpv6 max-delay != 33-45<br />
icmpv6 max-delay {33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Ether ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ether match<br />
|-<br />
| ''saddr <mac address>''<br />
| Source mac address<br />
|<source lang="bash"><br />
ether saddr 00:0f:54:0c:11:04<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
ether type vlan<br />
</source><br />
|}<br />
<br />
==== Dst ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|dst match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}<br />
dst nexthdr 22<br />
dst nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
dst hdrlength 22<br />
dst hdrlength != 33-45<br />
dst hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Frag ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|frag match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
frag nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp, icmp}<br />
frag nexthdr 6<br />
frag nexthdr != 50-51<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
frag reserved 22<br />
frag reserved != 33-45<br />
frag reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''frag-off <value>''<br />
| <br />
|<source lang="bash"><br />
frag frag-off 22<br />
frag frag-off != 33-45<br />
frag frag-off { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''more-fragments <value>''<br />
| <br />
|<source lang="bash"><br />
frag more-fragments 0<br />
frag more-fragments 0<br />
</source><br />
|-<br />
| ''id <value>''<br />
| <br />
|<source lang="bash"><br />
frag id 1<br />
frag id 33-45<br />
</source><br />
|}<br />
<br />
<br />
==== Hbh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|hbh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
hbh nexthdr { udplite, comp, udp, ah, sctp, esp, dccp, tcp, icmpv6}<br />
hbh nexthdr 22<br />
hbh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
hbh hdrlength 22<br />
hbh hdrlength != 33-45<br />
hbh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|}<br />
<br />
<br />
==== Mh ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|mh match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
mh nexthdr 22<br />
mh nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
mh hdrlength 22<br />
mh hdrlength != 33-45<br />
mh hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}<br />
mh type home-agent-switch-message<br />
mh type != home-agent-switch-message<br />
</source><br />
|-<br />
| ''reserved <value>''<br />
| <br />
|<source lang="bash"><br />
mh reserved 22<br />
mh reserved != 33-45<br />
mh reserved { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''checksum <value>''<br />
| <br />
|<source lang="bash"><br />
mh checksum 22<br />
mh checksum != 33-45<br />
mh checksum { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Rt ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|rt match<br />
|-<br />
| ''nexthdr <proto>''<br />
| Next protocol header<br />
|<source lang="bash"><br />
rt nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }<br />
rt nexthdr 22<br />
rt nexthdr != 33-45<br />
</source><br />
|-<br />
| ''hdrlength <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
rt hdrlength 22<br />
rt hdrlength != 33-45<br />
rt hdrlength { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''type <type>''<br />
| <br />
|<source lang="bash"><br />
rt type 22<br />
rt type != 33-45<br />
rt type { 33, 55, 67, 88 }<br />
</source><br />
|-<br />
| ''seg-left <value>''<br />
| <br />
|<source lang="bash"><br />
rt seg-left 22<br />
rt seg-left != 33-45<br />
rt seg-left { 33, 55, 67, 88}<br />
</source><br />
|}<br />
<br />
<br />
==== Vlan ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|vlan match<br />
|-<br />
| ''id <value>''<br />
| Vlan tag ID<br />
|<source lang="bash"><br />
vlan id 4094<br />
vlan id 0<br />
</source><br />
|-<br />
| ''cfi <value>''<br />
| <br />
|<source lang="bash"><br />
vlan cfi 0<br />
vlan cfi 1<br />
</source><br />
|-<br />
| ''pcp <value>''<br />
| <br />
|<source lang="bash"><br />
vlan pcp 7<br />
vlan pcp 3<br />
</source><br />
|}<br />
<br />
<br />
==== Arp ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|arp match<br />
|-<br />
| ''ptype <value>''<br />
| Payload type<br />
|<source lang="bash"><br />
arp ptype 0x0800<br />
</source><br />
|-<br />
| ''htype <value>''<br />
| Header type<br />
|<source lang="bash"><br />
arp htype 1<br />
arp htype != 33-45<br />
arp htype { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''hlen <length>''<br />
| Header Length<br />
|<source lang="bash"><br />
arp hlen 1<br />
arp hlen != 33-45<br />
arp hlen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''plen <length>''<br />
| Payload length<br />
|<source lang="bash"><br />
arp plen 1<br />
arp plen != 33-45<br />
arp plen { 33, 55, 67, 88}<br />
</source><br />
|-<br />
| ''operation <value>''<br />
| <br />
|<source lang="bash"><br />
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}<br />
</source><br />
|}<br />
<br />
<br />
==== Ct ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|ct match<br />
|-<br />
| ''state <state>''<br />
| State of the connection<br />
|<source lang="bash"><br />
ct state { new, established, related, untracked }<br />
ct state != related<br />
ct state established<br />
ct state 8<br />
</source><br />
|-<br />
| ''direction <value>''<br />
| Direction of the packet relative to the connection<br />
|<source lang="bash"><br />
ct direction original<br />
ct direction != original<br />
ct direction {reply, original}<br />
</source><br />
|-<br />
| ''status <status>''<br />
| Status of the connection<br />
|<source lang="bash"><br />
ct status expected<br />
ct status != expected<br />
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Mark of the connection<br />
|<source lang="bash"><br />
ct mark 0<br />
ct mark or 0x23 == 0x11<br />
ct mark or 0x3 != 0x1<br />
ct mark and 0x23 == 0x11<br />
ct mark and 0x3 != 0x1<br />
ct mark xor 0x23 == 0x11<br />
ct mark xor 0x3 != 0x1<br />
ct mark 0x00000032<br />
ct mark != 0x00000032<br />
ct mark 0x00000032-0x00000045<br />
ct mark != 0x00000032-0x00000045<br />
ct mark {0x32, 0x2222, 0x42de3}<br />
ct mark {0x32-0x2222, 0x4444-0x42de3}<br />
ct mark set 0x11 xor 0x1331<br />
ct mark set 0x11333 and 0x11<br />
ct mark set 0x12 or 0x11<br />
ct mark set 0x11<br />
ct mark set mark<br />
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }<br />
</source><br />
|-<br />
| ''expiration <time>''<br />
| Connection expiration time<br />
|<source lang="bash"><br />
ct expiration 30<br />
ct expiration 30s<br />
ct expiration != 233<br />
ct expiration != 3m53s<br />
ct expiration 33-45<br />
ct expiration 33s-45s<br />
ct expiration != 33-45<br />
ct expiration != 33s-45s<br />
ct expiration {33, 55, 67, 88}<br />
ct expiration { 1m7s, 33s, 55s, 1m28s}<br />
</source><br />
|-<br />
| ''helper "<helper>"''<br />
| Helper associated with the connection<br />
|<source lang="bash"><br />
ct helper "ftp"<br />
</source><br />
|-<br />
| | ''[original | reply] bytes <value>''<br />
| <br />
|<source lang="bash"><br />
ct original bytes > 100000<br />
ct bytes > 100000<br />
</source><br />
|-<br />
| | ''[original | reply] packets <value>''<br />
| <br />
|<source lang="bash"><br />
ct reply packets < 100<br />
</source><br />
|-<br />
| | ''[original | reply] saddr <ip source address>''<br />
| <br />
|<source lang="bash"><br />
ct original saddr 192.168.0.1<br />
ct reply saddr 192.168.0.1<br />
ct original saddr 192.168.1.0/24<br />
ct reply saddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] daddr <ip destination address>''<br />
| <br />
|<source lang="bash"><br />
ct original daddr 192.168.0.1<br />
ct reply daddr 192.168.0.1<br />
ct original daddr 192.168.1.0/24<br />
ct reply daddr 192.168.1.0/24<br />
</source><br />
|-<br />
| | ''[original | reply] l3proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original l3proto ipv4<br />
</source><br />
|-<br />
| | ''[original | reply] protocol <protocol>''<br />
| <br />
|<source lang="bash"><br />
ct original protocol 6<br />
</source><br />
|-<br />
| | ''[original | reply] proto-dst <port>''<br />
| <br />
|<source lang="bash"><br />
ct original proto-dst 22<br />
</source><br />
|-<br />
| | ''[original | reply] proto-src <port>''<br />
| <br />
|<source lang="bash"><br />
ct reply proto-src 53<br />
</source><br />
|}<br />
<br />
<br />
==== Meta ====<br />
<br />
[[Matching packet metainformation|''meta'']] matches packet by metainformation.<br />
<br />
{| class="wikitable"<br />
!colspan="6"|meta match<br />
|-<br />
| ''iifname <input interface name>''<br />
| Input interface name<br />
|<source lang="bash"><br />
meta iifname "eth0"<br />
meta iifname != "eth0"<br />
meta iifname {"eth0", "lo"}<br />
meta iifname "eth*"<br />
</source><br />
|-<br />
| ''oifname <output interface name>''<br />
| Output interface name<br />
|<source lang="bash"><br />
meta oifname "eth0"<br />
meta oifname != "eth0"<br />
meta oifname {"eth0", "lo"}<br />
meta oifname "eth*"<br />
</source><br />
|-<br />
| ''iif <input interface index>''<br />
| Input interface index<br />
|<source lang="bash"><br />
meta iif eth0<br />
meta iif != eth0<br />
</source><br />
|-<br />
| ''oif <output interface index>''<br />
| Output interface index<br />
|<source lang="bash"><br />
meta oif lo<br />
meta oif != lo<br />
meta oif {eth0, lo}<br />
</source><br />
|-<br />
| ''iiftype <input interface type>''<br />
| Input interface type<br />
|<source lang="bash"><br />
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta iiftype != ether<br />
meta iiftype ether<br />
</source><br />
|-<br />
| ''oiftype <output interface type>''<br />
| Output interface hardware type<br />
|<source lang="bash"><br />
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}<br />
meta oiftype != ether<br />
meta oiftype ether<br />
</source><br />
|-<br />
| ''length <length>''<br />
| Length of the packet in bytes<br />
|<source lang="bash"><br />
meta length 1000<br />
meta length != 1000<br />
meta length > 1000<br />
meta length 33-45<br />
meta length != 33-45<br />
meta length { 33, 55, 67, 88 }<br />
meta length { 33-55, 67-88 }<br />
</source><br />
|-<br />
| ''protocol <protocol>''<br />
| ethertype protocol<br />
|<source lang="bash"><br />
meta protocol ip<br />
meta protocol != ip<br />
meta protocol { ip, arp, ip6, vlan }<br />
</source><br />
|-<br />
| ''nfproto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta nfproto ipv4<br />
meta nfproto != ipv6<br />
meta nfproto { ipv4, ipv6 }<br />
</source><br />
|-<br />
| ''l4proto <protocol>''<br />
| <br />
|<source lang="bash"><br />
meta l4proto 22<br />
meta l4proto != 233<br />
meta l4proto 33-45<br />
meta l4proto { 33, 55, 67, 88 }<br />
meta l4proto { 33-55 }<br />
</source><br />
|-<br />
| ''mark [set] <mark>''<br />
| Packet mark<br />
|<source lang="bash"><br />
meta mark 0x4<br />
meta mark 0x00000032<br />
meta mark and 0x03 == 0x01<br />
meta mark and 0x03 != 0x01<br />
meta mark != 0x10<br />
meta mark or 0x03 == 0x01<br />
meta mark or 0x03 != 0x01<br />
meta mark xor 0x03 == 0x01<br />
meta mark xor 0x03 != 0x01<br />
meta mark set 0xffffffc8 xor 0x16<br />
meta mark set 0x16 and 0x16<br />
meta mark set 0xffffffe9 or 0x16<br />
meta mark set 0xffffffde and 0x16<br />
meta mark set 0x32 or 0xfffff<br />
meta mark set 0xfffe xor 0x16<br />
</source><br />
|-<br />
| ''priority [set] <priority>''<br />
| tc class id<br />
|<source lang="bash"><br />
meta priority none<br />
meta priority 0x1:0x1<br />
meta priority 0x1:0xffff<br />
meta priority 0xffff:0xffff<br />
meta priority set 0x1:0x1<br />
meta priority set 0x1:0xffff<br />
meta priority set 0xffff:0xffff<br />
</source><br />
|-<br />
| ''skuid <user id>''<br />
| UID associated with originating socket<br />
|<source lang="bash"><br />
meta skuid {bin, root, daemon}<br />
meta skuid root<br />
meta skuid != root<br />
meta skuid lt 3000<br />
meta skuid gt 3000<br />
meta skuid eq 3000<br />
meta skuid 3001-3005<br />
meta skuid != 2001-2005<br />
meta skuid { 2001-2005 }<br />
</source><br />
|-<br />
| ''skgid <group id>''<br />
| GID associated with originating socket<br />
|<source lang="bash"><br />
meta skgid {bin, root, daemon}<br />
meta skgid root<br />
meta skgid != root<br />
meta skgid lt 3000<br />
meta skgid gt 3000<br />
meta skgid eq 3000<br />
meta skgid 3001-3005<br />
meta skgid != 2001-2005<br />
meta skgid { 2001-2005 }<br />
</source><br />
|-<br />
| ''rtclassid <class>''<br />
| Routing realm<br />
|<source lang="bash"><br />
meta rtclassid cosmos<br />
</source><br />
|-<br />
| ''pkttype <type>''<br />
| Packet type<br />
|<source lang="bash"><br />
meta pkttype broadcast<br />
meta pkttype != broadcast<br />
meta pkttype { broadcast, unicast, multicast}<br />
</source><br />
|-<br />
| ''cpu <cpu index>''<br />
| CPU ID<br />
|<source lang="bash"><br />
meta cpu 1<br />
meta cpu != 1<br />
meta cpu 1-3<br />
meta cpu != 1-2<br />
meta cpu { 2,3 }<br />
meta cpu { 2-3, 5-7 }<br />
</source><br />
|-<br />
| ''iifgroup <input group>''<br />
| Input interface group<br />
|<source lang="bash"><br />
meta iifgroup 0<br />
meta iifgroup != 0<br />
meta iifgroup default<br />
meta iifgroup != default<br />
meta iifgroup {default}<br />
meta iifgroup { 11,33 }<br />
meta iifgroup {11-33}<br />
</source><br />
|-<br />
| ''oifgroup <group>''<br />
| Output interface group<br />
|<source lang="bash"><br />
meta oifgroup 0<br />
meta oifgroup != 0<br />
meta oifgroup default<br />
meta oifgroup != default<br />
meta oifgroup {default}<br />
meta oifgroup { 11,33 }<br />
meta oifgroup {11-33}<br />
</source><br />
|-<br />
| ''cgroup <group>''<br />
| <br />
|<source lang="bash"><br />
meta cgroup 1048577<br />
meta cgroup != 1048577<br />
meta cgroup { 1048577, 1048578 }<br />
meta cgroup 1048577-1048578<br />
meta cgroup != 1048577-1048578<br />
meta cgroup {1048577-1048578}<br />
</source><br />
|}<br />
<br />
=== Statements ===<br />
<br />
'''statement''' is the action performed when the packet match the rule. It could be ''terminal'' and ''non-terminal''. In a certain rule we can consider several non-terminal statements but only a single terminal statement.<br />
<br />
==== Verdict statements ====<br />
<br />
The '''verdict statement''' alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:<br />
<br />
* ''accept'': Accept the packet and stop the remain rules evaluation.<br />
* ''drop'': Drop the packet and stop the remain rules evaluation.<br />
* ''queue'': Queue the packet to userspace and stop the remain rules evaluation.<br />
* ''continue'': Continue the ruleset evaluation with the next rule.<br />
* ''return'': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept<br />
* ''jump <chain>'': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued<br />
* ''goto <chain>'': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement<br />
<br />
==== Log ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|log statement<br />
|-<br />
| ''level [over] <value> <unit> [burst <value> <unit>]''<br />
| Log level<br />
|<source lang="bash"><br />
log<br />
log level emerg<br />
log level alert<br />
log level crit<br />
log level err<br />
log level warn<br />
log level notice<br />
log level info<br />
log level debug<br />
</source><br />
|-<br />
| ''group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]''<br />
| <br />
|<source lang="bash"><br />
log prefix aaaaa-aaaaaa group 2 snaplen 33<br />
log group 2 queue-threshold 2<br />
log group 2 snaplen 33<br />
</source><br />
|}<br />
<br />
<br />
==== Reject ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|reject statement<br />
|-<br />
| ''with <protocol> type <type>''<br />
| <br />
|<source lang="bash"><br />
reject<br />
reject with icmp type host-unreachable<br />
reject with icmp type net-unreachable<br />
reject with icmp type prot-unreachable<br />
reject with icmp type port-unreachable<br />
reject with icmp type net-prohibited<br />
reject with icmp type host-prohibited<br />
reject with icmp type admin-prohibited<br />
reject with icmpv6 type no-route<br />
reject with icmpv6 type admin-prohibited<br />
reject with icmpv6 type addr-unreachable<br />
reject with icmpv6 type port-unreachable<br />
ip protocol tcp reject with tcp reset<br />
reject with icmpx type host-unreachable<br />
reject with icmpx type no-route<br />
reject with icmpx type admin-prohibited<br />
reject with icmpx type port-unreachable<br />
</source><br />
|}<br />
<br />
<br />
==== Counter ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|counter statement<br />
|-<br />
| ''packets <packets> bytes <bytes>''<br />
| <br />
|<source lang="bash"><br />
counter<br />
counter packets 0 bytes 0<br />
</source><br />
|}<br />
<br />
<br />
==== Limit ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|limit statement<br />
|-<br />
| ''rate [over] <value> <unit> [burst <value> <unit>]''<br />
| Rate limit<br />
|<source lang="bash"><br />
limit rate 400/minute<br />
limit rate 400/hour<br />
limit rate over 40/day<br />
limit rate over 400/week<br />
limit rate over 1023/second burst 10 packets<br />
limit rate 1025 kbytes/second<br />
limit rate 1023000 mbytes/second<br />
limit rate 1025 bytes/second burst 512 bytes<br />
limit rate 1025 kbytes/second burst 1023 kbytes<br />
limit rate 1025 mbytes/second burst 1025 kbytes<br />
limit rate 1025000 mbytes/second burst 1023 mbytes<br />
</source><br />
|}<br />
<br />
==== Nat ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|nat statement<br />
|-<br />
| ''dnat <destination address>''<br />
| Destination address translation<br />
|<source lang="bash"><br />
dnat 192.168.3.2<br />
dnat ct mark map { 0x00000014 : 1.2.3.4}<br />
</source><br />
|-<br />
| ''snat <ip source address>''<br />
| Source address translation<br />
|<source lang="bash"><br />
snat 192.168.3.2<br />
snat 2001:838:35f:1::-2001:838:35f:2:::100<br />
</source><br />
|-<br />
| ''masquerade [<type>] [to :<port>]''<br />
| Masquerade<br />
|<source lang="bash"><br />
masquerade<br />
masquerade persistent,fully-random,random<br />
masquerade to :1024<br />
masquerade to :1024-2048<br />
</source><br />
|}<br />
<br />
==== Queue ====<br />
<br />
{| class="wikitable"<br />
!colspan="6"|queue statement<br />
|-<br />
| ''num <value> <scheduler>''<br />
| <br />
|<source lang="bash"><br />
queue<br />
queue num 2<br />
queue num 2-3<br />
queue num 4-5 fanout bypass<br />
queue num 4-5 fanout<br />
queue num 4-5 bypass<br />
</source><br />
|}<br />
<br />
== Extras ==<br />
<br />
=== Export Configuration ===<br />
<br />
<source lang="bash"><br />
% nft export (xml | json)<br />
</source><br />
<br />
=== Monitor Events ===<br />
<br />
Monitor events from Netlink creating filters.<br />
<br />
<source lang="bash"><br />
% nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]<br />
</source><br />
<br />
<br />
= Nft scripting =<br />
<br />
== List ruleset ==<br />
<br />
<source lang="bash"><br />
% nft list ruleset<br />
</source><br />
<br />
== Flush ruleset ==<br />
<br />
<source lang="bash"><br />
% nft flush ruleset<br />
</source><br />
<br />
== Load ruleset ==<br />
<br />
Create a command batch file and load it with the nft interpreter,<br />
<br />
<source lang="bash"><br />
% echo "flush ruleset" > /etc/nftables.rules<br />
% echo "add table filter" >> /etc/nftables.rules<br />
% echo "add chain filter input" >> /etc/nftables.rules<br />
% echo "add rule filter input meta iifname lo accept" >> /etc/nftables.rules<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file,<br />
<br />
<source lang="bash"><br />
% cat << EOF > /etc/nftables.rules<br />
> #!/usr/local/sbin/nft -f<br />
> flush ruleset<br />
> add table filter<br />
> add chain filter input<br />
> add rule filter input meta iifname lo accept<br />
> EOF<br />
% chmod u+x /etc/nftables.rules<br />
% /etc/nftables.rules<br />
</source><br />
<br />
or create an executable nft script file from an already created ruleset,<br />
<br />
<source lang="bash"><br />
% nft list ruleset > /etc/nftables.rules<br />
% nft flush ruleset<br />
% nft -f /etc/nftables.rules<br />
</source><br />
<br />
<br />
= Examples =<br />
<br />
== Simple IP/IPv6 Firewall ==<br />
<br />
<source lang="bash"><br />
flush ruleset<br />
<br />
table firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
icmp type echo-request accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
<br />
table ip6 firewall {<br />
chain incoming {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iifname lo accept<br />
<br />
# icmp<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
icmpv6 type {echo-request,nd-neighbor-solicit} accept<br />
<br />
# open tcp ports: sshd (22), httpd (80)<br />
tcp dport {ssh, http} accept<br />
}<br />
}<br />
</source></div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=391
Classification to tc structure example
2019-04-16T07:40:30Z
<p>Vaclavz: </p>
<hr />
<div>== Introduction ==<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but says clearly it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
* '''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
* packet: <br />
** source address 8.8.8.8<br />
** destination address 10.20.255.50<br />
** '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
** '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
** '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
== Basic prototypes ==<br />
=== tc class structure ===<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
=== tc qdisc structure ===<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
=== nftables structure ===<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
=== nftables commands ===<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
== Packet processing ==<br />
=== chain forward ===<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
=== chain group_114 ===<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
== Additional documentations and articles ==<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Matching_packet_metainformation&diff=390
Matching packet metainformation
2019-04-16T07:23:05Z
<p>Vaclavz: /* Matching packet priority */</p>
<hr />
<div>''nftables'' comes with the packet metainformation selectors that you can use to match information that is stored in the network packet. <br />
<br />
= The meta selectors =<br />
<br />
The current metainformation that you can match is:<br />
<br />
* interface device name and interface device index: ''iifname, ''oifname'', ''iif'' and ''oif''.<br />
* interface type: ''iiftyte'' and ''oiftype''.<br />
* tc handle: ''priority''.<br />
* socket user and group identifier: ''skuid'' and ''skgid''.<br />
* packet length: ''length''.<br />
<br />
== Matching packets by interface name ==<br />
<br />
You can use the following selectors to match the interface name:<br />
<br />
* ''iifname'', to match the input network interface name.<br />
* ''oifname'', to match the output network interface name.<br />
* ''iif'', to match the interface index of the network interface name. This is faster than ''iifname'' as it only has to compare a 32-bits unsigned integer instead of a string. The interface index is dynamically allocated, so don't use this for interfaces that are dynamically created and destroyed, eg. ''ppp0''.<br />
* ''oif'', like ''iif'' but it matches the output network interface index.<br />
<br />
An example usage of the interface name is the following:<br />
<br />
<source lang="bash"><br />
% nft add rule filter input meta oifname lo accept<br />
</source><br />
<br />
This rule accepts all traffic for the loopback pseudodevice ''lo''.<br />
<br />
== Matching packets by packet mark ==<br />
<br />
You can match packets whose mark is 123 with the following rule:<br />
<br />
<source lang="bash"><br />
nft add rule filter output meta mark 123 counter<br />
</source><br />
<br />
== Matching packets the socket UID ==<br />
<br />
You can use your user name to match traffic, eg.<br />
<br />
<source lang="bash"><br />
% nft add rule filter output meta skuid pablo counter<br />
</source><br />
<br />
Or the 32-bits unsigned integer (UID) in case there is no entry in /etc/passwd for a given user.<br />
<br />
<source lang="bash"><br />
% nft add rule filter output meta skuid 1000 counter<br />
</source><br />
<br />
Let's just generate some HTTP traffic to test this rule:<br />
<br />
<source lang="bash"><br />
% wget --spider http://www.google.com<br />
</source><br />
<br />
Then, if you check the counters, you can verify that the packets are matching that rule.<br />
<br />
<source lang="bash"><br />
% nft list table filter<br />
table ip filter {<br />
chain output {<br />
type filter hook output priority 0;<br />
skuid pablo counter packets 7 bytes 510<br />
}<br />
<br />
chain input {<br />
type filter hook input priority 0;<br />
}<br />
}<br />
</source><br />
<br />
'''Important''': Beware if you test this with ''ping'', it is usually installed with suid so that traffic will match the root user (uid=0).<br />
<br />
== Matching packet priority ==<br />
<br />
* Since nftables v0.7 you can match the packet priority, the tc classid:<br />
<br />
<source><br />
% nft add rule filter forward meta priority abcd:1234<br />
</source><br />
<br />
* Packet without set priority can be matched using meta priority none<br />
<source><br />
% nft add rule filter forward meta priority none<br />
</source></div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Main_Page&diff=389
Main Page
2019-04-16T07:21:06Z
<p>Vaclavz: /* Examples */</p>
<hr />
<div>Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.<br />
<br />
If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.<br />
<br />
= Introduction =<br />
<br />
* [[What is nftables?]]<br />
* [[Why nftables?]]<br />
* [[Main differences with iptables]]<br />
* [[Netfilter hooks]] and integration with existing Netfilter components.<br />
* [[Adoption]]<br />
* [[Legacy xtables tools]]<br />
<br />
= Getting started =<br />
<br />
* [[Building and installing nftables from sources]]<br />
* Using [[nftables from distributions]]<br />
* [[Troubleshooting|Troubleshooting and FAQ]]<br />
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]<br />
* [[nftables families|Understanding nftables families]]<br />
<br />
= Basic operation =<br />
<br />
* [[Configuring tables]]<br />
* [[Configuring chains]]<br />
* [[Simple rule management]]<br />
* [[Atomic rule replacement]]<br />
* [[Error reporting from the command line]]<br />
* [[Building rules through expressions]]<br />
* [[Operations at ruleset level]]<br />
* [[Monitoring ruleset updates]]<br />
* [[Scripting]]<br />
* [[Ruleset debug/tracing]]<br />
* [[Moving from iptables to nftables]]<br />
* [[Moving from ipset to nftables]]<br />
<br />
= Supported selectors for packet matching =<br />
<br />
* [[Matching packet header fields]]<br />
* [[Matching packet metainformation]]<br />
* [[Matching connection tracking stateful metainformation]]<br />
* [[Rate limiting matchings]]<br />
* [[Routing information]]<br />
<br />
= Possible actions on packets =<br />
<br />
* [[Accepting and dropping packets]]<br />
* [[Jumping to chain]]<br />
* [[Rejecting traffic]]<br />
* [[Logging traffic]]<br />
* [[Performing Network Address Translation (NAT)]]<br />
* [[Setting packet metainformation]]<br />
* [[Queueing to userspace]]<br />
* [[Duplicating packets]]<br />
* [[Mangle packet header fields]]<br />
* [[Mangle TCP options]]<br />
* [[Counters]]<br />
* [[Load balancing]]<br />
* [[Setting packet connection tracking metainformation]]<br />
<br />
Note that, unlike ''iptables'', you can perform several actions in one single rule.<br />
<br />
= Advanced data structures for performance packet classification =<br />
<br />
You will have to redesign your rule-set to benefit from these new nice features:<br />
<br />
* [[Sets]]<br />
* [[Dictionaries]]<br />
* [[Intervals]]<br />
* [[Maps]]<br />
* [[Concatenations]]<br />
* [[Meters|Metering]] (formerly known as flow tables before nftables 0.8.1 release)<br />
* [[Updating sets from the packet path]]<br />
* [[Element timeouts]]<br />
* [[Math operations]]<br />
* [[Stateful objects]]<br />
<br />
If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.<br />
<br />
= Examples =<br />
<br />
* [[Simple ruleset for a workstation]]<br />
* [[Bridge filtering]]<br />
* [[Multiple NATs using nftables maps]]<br />
* [[Classic perimetral firewall example]]<br />
* [[Port knocking example]]<br />
* [[Classification to tc structure example]]<br />
<br />
= Development progress =<br />
<br />
* [[List of updates since Linux kernel 3.13]]<br />
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]<br />
* [[List of available translations via iptables-translate tool]]<br />
<br />
= External links =<br />
<br />
Watch some videos:<br />
<br />
* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.<br />
* Watch [https://www.youtube.com/watch?v=CaYp0d2wiuU#t=1m47s The ultimate packet classifier for GNU/Linux], thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.<br />
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]<br />
* Watch [https://www.youtube.com/watch?v=qXVOA2MKA1s Netdev 2.1 - Netfilter workshop]<br />
* Watch [https://youtu.be/iCj10vEKPrw Netdev 2.2 - Netfilter mini-workshop]<br />
* Watch [https://youtu.be/0hqfzp6tpZo Netdev 0x12 - Netfilter mini-workshop]<br />
* Watch [https://www.youtube.com/watch?v=0wQfSfDVN94 NLUUG - Goodbye iptables, Hello nftables]<br />
* Watch [https://www.youtube.com/watch?v=Uf5ULkEWPL0 LCA2018 - nftables from a user perspective]<br />
<br />
Additional documentations and articles:<br />
<br />
* Tutorial [https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ Extending nftables by Xiang Gao]<br />
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables]<br />
<br />
= Thanks =<br />
<br />
To the NLnet foundation for initial sponsorship of this HOWTO:<br />
<br />
[https://nlnet.nl https://nlnet.nl/image/logo.gif]<br />
<br />
To Eric Leblond, for boostrapping the [https://home.regit.org/netfilter-en/nftables-quick-howto/ Nftables quick howto] in 2013.</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=388
Classification to tc structure example
2019-04-16T07:20:45Z
<p>Vaclavz: /* Additional documentations and articles */</p>
<hr />
<div>== Introduction ==<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but says clearly it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
* '''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
* packet: <br />
** source address 8.8.8.8<br />
** destination address 10.20.255.50<br />
** '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
** '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
** '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
=== Basic prototype - tc class structure ===<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
=== Basic prototype - tc qdisc structure ===<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
=== Basic prototype - nftables structure ===<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
=== Basic nftables commands ===<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
== Packet processing ==<br />
=== chain forward ===<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
=== chain group_114 ===<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
== Additional documentations and articles ==<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=387
Classification to tc structure example
2019-04-16T07:20:34Z
<p>Vaclavz: /* Packet processing */</p>
<hr />
<div>== Introduction ==<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but says clearly it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
* '''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
* packet: <br />
** source address 8.8.8.8<br />
** destination address 10.20.255.50<br />
** '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
** '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
** '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
=== Basic prototype - tc class structure ===<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
=== Basic prototype - tc qdisc structure ===<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
=== Basic prototype - nftables structure ===<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
=== Basic nftables commands ===<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
== Packet processing ==<br />
=== chain forward ===<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
=== chain group_114 ===<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=386
Classification to tc structure example
2019-04-16T07:20:09Z
<p>Vaclavz: /* Packet processing */</p>
<hr />
<div>== Introduction ==<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but says clearly it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
* '''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
* packet: <br />
** source address 8.8.8.8<br />
** destination address 10.20.255.50<br />
** '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
** '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
** '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
=== Basic prototype - tc class structure ===<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
=== Basic prototype - tc qdisc structure ===<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
=== Basic prototype - nftables structure ===<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
=== Basic nftables commands ===<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
== Packet processing ==<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=385
Classification to tc structure example
2019-04-16T07:20:00Z
<p>Vaclavz: /* Basic nftables commands */</p>
<hr />
<div>== Introduction ==<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but says clearly it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
* '''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
* packet: <br />
** source address 8.8.8.8<br />
** destination address 10.20.255.50<br />
** '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
** '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
** '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
=== Basic prototype - tc class structure ===<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
=== Basic prototype - tc qdisc structure ===<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
=== Basic prototype - nftables structure ===<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
=== Basic nftables commands ===<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=384
Classification to tc structure example
2019-04-16T07:19:50Z
<p>Vaclavz: /* Basic prototype - nftables structure */</p>
<hr />
<div>== Introduction ==<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but says clearly it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
* '''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
* packet: <br />
** source address 8.8.8.8<br />
** destination address 10.20.255.50<br />
** '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
** '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
** '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
=== Basic prototype - tc class structure ===<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
=== Basic prototype - tc qdisc structure ===<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
=== Basic prototype - nftables structure ===<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=383
Classification to tc structure example
2019-04-16T07:19:40Z
<p>Vaclavz: /* Basic prototype - tc qdisc structure */</p>
<hr />
<div>== Introduction ==<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but says clearly it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
* '''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
* packet: <br />
** source address 8.8.8.8<br />
** destination address 10.20.255.50<br />
** '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
** '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
** '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
=== Basic prototype - tc class structure ===<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
=== Basic prototype - tc qdisc structure ===<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=382
Classification to tc structure example
2019-04-16T07:19:29Z
<p>Vaclavz: /* Basic prototype - tc class structure */</p>
<hr />
<div>== Introduction ==<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but says clearly it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
* '''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
* packet: <br />
** source address 8.8.8.8<br />
** destination address 10.20.255.50<br />
** '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
** '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
** '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
=== Basic prototype - tc class structure ===<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=381
Classification to tc structure example
2019-04-16T07:19:17Z
<p>Vaclavz: /* Introduction */</p>
<hr />
<div>== Introduction ==<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but says clearly it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
* '''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
* packet: <br />
** source address 8.8.8.8<br />
** destination address 10.20.255.50<br />
** '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
** '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
** '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=380
Classification to tc structure example
2019-04-16T07:19:06Z
<p>Vaclavz: /* Introduction */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but says clearly it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
* '''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
* packet: <br />
** source address 8.8.8.8<br />
** destination address 10.20.255.50<br />
** '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
** '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
** '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=379
Classification to tc structure example
2019-04-13T12:21:49Z
<p>Vaclavz: /* Introduction */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but says clearly it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=378
Classification to tc structure example
2019-04-13T12:20:37Z
<p>Vaclavz: /* Packet processing */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
# subnet_map redirected the packet here<br />
'''chain group_114 {'''<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
'''meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0'''<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
'''meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0'''<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
'''meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0'''<br />
'''meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0'''<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
'''meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "'''<br />
'''}'''<br />
<br />
'''map group_114 {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,'''<br />
'''10.20.255.130 : 1:ffd2 }'''<br />
'''}''' <br />
<br />
'''map group_114_prio {'''<br />
'''type ipv4_addr : classid'''<br />
'''flags interval'''<br />
'''elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,'''<br />
'''10.20.255.130 : 1:ffd3 }'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=377
Classification to tc structure example
2019-04-13T12:19:19Z
<p>Vaclavz: /* Packet processing */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
# subnet_map redirected the packet here<br />
chain group_114 {<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
# packets heading / originating to / from non prioritized addresses are matched in next steps<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
# unknown traffic is set to untracked object - 1:0xffff<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
}<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=376
Classification to tc structure example
2019-04-13T12:16:51Z
<p>Vaclavz: /* Packet processing */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
# subnet_map redirected the packet here<br />
chain group_114 {<br />
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - <br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
}<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=375
Classification to tc structure example
2019-04-13T12:13:38Z
<p>Vaclavz: /* Packet processing */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* '''chain forward'''<br />
# packet passing through server<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
* '''chain group_114'''<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
}<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=374
Classification to tc structure example
2019-04-13T12:12:49Z
<p>Vaclavz: /* Packet processing */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
# packet passing through server is handled in '''chain forward'''<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
* chain group_114<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
}<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=373
Classification to tc structure example
2019-04-13T12:11:56Z
<p>Vaclavz: /* Packet processing */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
# packet passing through server is handled in '''chain forward'''<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map'' = 10.20.255.48/29 : goto group_114<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=372
Classification to tc structure example
2019-04-13T12:10:33Z
<p>Vaclavz: /* Packet processing */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
# packet passing through server is handled in '''chain forward'''<br />
'''chain forward {'''<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
'''type filter hook forward priority filter; policy accept;'''<br />
# packet is matched against '''subnet_map''' - it is ''verdict map''<br />
'''meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0''' # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
'''meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0''' # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
'''ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "'''<br />
# private source subnet without set priority is set to 1:0xffff<br />
'''ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "''' <br />
'''ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "''' <br />
'''ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "''' <br />
# rest of traffic is sent to separate tc class object<br />
'''meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "'''<br />
'''}'''<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=371
Classification to tc structure example
2019-04-13T12:09:16Z
<p>Vaclavz: /* Packet processing */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
# packet passing through server is handled in '''chain forward'''<br />
chain forward {<br />
# ''hook forward'' does the magic, not the name of the chain<br />
# ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
type filter hook forward priority filter; policy accept;<br />
# packet is matched against '''subnet_map''' - it is ''verdict map''<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0 # packet's dst address is looked up<br />
# it contains decision on where to send the packet for further processing when matched - chain group_114<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0 # packet's src address is looked up<br />
# private destination subnet without set priority is set to 1:0xffff<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "<br />
# private source subnet without set priority is set to 1:0xffff<br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
# rest of traffic is sent to separate tc class object<br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "<br />
}<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=370
Classification to tc structure example
2019-04-13T12:05:49Z
<p>Vaclavz: /* Packet processing */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* packet passing through server is handled in '''chain forward'''<br />
* ''hook forward'' does the magic, not the name of the chain<br />
* ''priority filter'' can be used in newer versions of nftables > 0.9.0<br />
* packet is matched against '''subnet_map''' - it is ''verdict map''<br />
* it contains decision on where to send the packet for further processing when matched<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0 # packet's dst address is looked up<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0 # packet's src address is looked up<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " # private destination subnet without set priority is set to 1:0xffff<br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " # private source subnet without set priority is set to 1:0xffff <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " # rest of traffic is sent to separate tc class object<br />
}<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=369
Classification to tc structure example
2019-04-13T12:01:15Z
<p>Vaclavz: /* Basic nftables commands */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* packet passing through server is handled in forward chain<br />
* hook forward does the magic, not the name of the chain<br />
* priority filter can be used in newer versions of nftables > 0.9.0<br />
* packet is matched against subnet_map - it is verdict map<br />
* it contains decision on where to send the packet for further processing when matched<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=368
Classification to tc structure example
2019-04-13T12:01:00Z
<p>Vaclavz: /* Basic prototype - nftables structure */</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using nft -f filename.nft - or using function nft_run_cmd_from_buffer - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* packet passing through server is handled in forward chain<br />
* hook forward does the magic, not the name of the chain<br />
* priority filter can be used in newer versions of nftables > 0.9.0<br />
* packet is matched against subnet_map - it is verdict map<br />
* it contains decision on where to send the packet for further processing when matched<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Classification_to_tc_structure_example&diff=367
Classification to tc structure example
2019-04-13T12:00:06Z
<p>Vaclavz: Classification to tc structure example</p>
<hr />
<div>= Introduction =<br />
* '''nftables''' can replace not even ''iptables'', but it can be used to replace very poorly documented ''tc filter'' rules and allow user to classify packets into tc class / qdisc infrastructure.<br />
* There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value. <br />
* action used to classify packets into tc structure is '''meta set priority "1:0x2"''' - 0x can be omitted, but it remembers one it is hex number - double quotes are required<br />
<br />
* Note that, unlike ''iptables'' or '''tc filter''', you can perform several actions in one single rule and match several informations - counter is must have for debugging<br />
* You will have to redesign your rule structure to benefit from these new nice features.<br />
'''example''':<br />
<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
<br />
packet: <br />
source address 8.8.8.8<br />
destination address 10.20.255.50<br />
* '''meta priority none''' - matches packet only when there is no priority - tc class id - set yet<br />
* '''ip saddr @priority_set''' - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too<br />
* '''meta priority set ip daddr map @group_114_prio''' - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9<br />
<br />
<br />
= Basic prototype - tc class structure =<br />
<source lang="bash"><br />
+---(1:) hfsc<br />
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit<br />
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit <br />
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit <br />
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit <br />
| | | <br />
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit <br />
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit <br />
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit <br />
|<br />
|<br />
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit<br />
</source><br />
<br />
= Basic prototype - tc qdisc structure =<br />
<source lang="bash"><br />
qdisc hfsc 1: root refcnt 2 default 2<br />
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn<br />
</source><br />
<br />
= Basic prototype - nftables structure =<br />
<br />
table ip filter {<br />
map subnet_map {<br />
type ipv4_addr : verdict<br />
flags interval<br />
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,<br />
10.20.255.128/29 : goto group_114 }<br />
}<br />
<br />
set priority_set { <br />
type ipv4_addr<br />
flags interval<br />
elements = { 8.8.8.8, 8.8.4.4 }<br />
} <br />
<br />
map group_114 {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,<br />
10.20.255.130 : 1:ffd2 }<br />
} <br />
<br />
map group_114_prio {<br />
type ipv4_addr : classid<br />
flags interval<br />
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,<br />
10.20.255.130 : 1:ffd3 }<br />
} <br />
<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
chain input {<br />
type filter hook input priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195<br />
} <br />
<br />
chain output {<br />
type filter hook output priority filter; policy accept;<br />
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859<br />
} <br />
<br />
chain group_114 {<br />
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0<br />
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0<br />
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "<br />
}<br />
}<br />
<br />
= Basic nftables commands =<br />
* executed using nft -f filename.nft - or using function nft_run_cmd_from_buffer - libnftables<br />
<source><br />
add table ip filter<br />
add chain ip filter forward { type filter hook forward priority 0; policy accept; }<br />
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }<br />
add set ip filter priority_set { type ipv4_addr; flags interval; }<br />
add element ip filter priority_set {8.8.8.8 }<br />
add element ip filter priority_set {8.8.4.4 }<br />
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter<br />
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter<br />
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - " <br />
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - " <br />
add chain ip filter input { type filter hook input priority 0; policy accept; }<br />
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter<br />
add chain ip filter output { type filter hook output priority 0; policy accept; }<br />
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter <br />
add chain ip filter group_114<br />
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }<br />
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }<br />
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter<br />
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - " <br />
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }<br />
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }<br />
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }<br />
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }<br />
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }<br />
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }<br />
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }<br />
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }<br />
</source><br />
<br />
= Packet processing =<br />
* packet passing through server is handled in forward chain<br />
* hook forward does the magic, not the name of the chain<br />
* priority filter can be used in newer versions of nftables > 0.9.0<br />
* packet is matched against subnet_map - it is verdict map<br />
* it contains decision on where to send the packet for further processing when matched<br />
chain forward {<br />
type filter hook forward priority filter; policy accept;<br />
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0<br />
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0<br />
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " <br />
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " <br />
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " <br />
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " <br />
} <br />
<br />
<br />
= Additional documentations and articles =<br />
* this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself<br />
* https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/<br />
<br />
* very good source of information is man page - it can be generated as pdf - in source code '''nftables/doc/build_pdfs.sh'''<br />
* there is not much information about tc classification</div>
Vaclavz
http://wiki.nftables.org/wiki-nftables/index.php?title=Main_Page&diff=366
Main Page
2019-04-13T10:58:42Z
<p>Vaclavz: /* Examples */</p>
<hr />
<div>Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.<br />
<br />
If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.<br />
<br />
= Introduction =<br />
<br />
* [[What is nftables?]]<br />
* [[Why nftables?]]<br />
* [[Main differences with iptables]]<br />
* [[Netfilter hooks]] and integration with existing Netfilter components.<br />
* [[Adoption]]<br />
* [[Legacy xtables tools]]<br />
<br />
= Getting started =<br />
<br />
* [[Building and installing nftables from sources]]<br />
* Using [[nftables from distributions]]<br />
* [[Troubleshooting|Troubleshooting and FAQ]]<br />
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]<br />
* [[nftables families|Understanding nftables families]]<br />
<br />
= Basic operation =<br />
<br />
* [[Configuring tables]]<br />
* [[Configuring chains]]<br />
* [[Simple rule management]]<br />
* [[Atomic rule replacement]]<br />
* [[Error reporting from the command line]]<br />
* [[Building rules through expressions]]<br />
* [[Operations at ruleset level]]<br />
* [[Monitoring ruleset updates]]<br />
* [[Scripting]]<br />
* [[Ruleset debug/tracing]]<br />
* [[Moving from iptables to nftables]]<br />
* [[Moving from ipset to nftables]]<br />
<br />
= Supported selectors for packet matching =<br />
<br />
* [[Matching packet header fields]]<br />
* [[Matching packet metainformation]]<br />
* [[Matching connection tracking stateful metainformation]]<br />
* [[Rate limiting matchings]]<br />
* [[Routing information]]<br />
<br />
= Possible actions on packets =<br />
<br />
* [[Accepting and dropping packets]]<br />
* [[Jumping to chain]]<br />
* [[Rejecting traffic]]<br />
* [[Logging traffic]]<br />
* [[Performing Network Address Translation (NAT)]]<br />
* [[Setting packet metainformation]]<br />
* [[Queueing to userspace]]<br />
* [[Duplicating packets]]<br />
* [[Mangle packet header fields]]<br />
* [[Mangle TCP options]]<br />
* [[Counters]]<br />
* [[Load balancing]]<br />
* [[Setting packet connection tracking metainformation]]<br />
<br />
Note that, unlike ''iptables'', you can perform several actions in one single rule.<br />
<br />
= Advanced data structures for performance packet classification =<br />
<br />
You will have to redesign your rule-set to benefit from these new nice features:<br />
<br />
* [[Sets]]<br />
* [[Dictionaries]]<br />
* [[Intervals]]<br />
* [[Maps]]<br />
* [[Concatenations]]<br />
* [[Meters|Metering]] (formerly known as flow tables before nftables 0.8.1 release)<br />
* [[Updating sets from the packet path]]<br />
* [[Element timeouts]]<br />
* [[Math operations]]<br />
* [[Stateful objects]]<br />
<br />
If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.<br />
<br />
= Examples =<br />
<br />
* [[Simple ruleset for a workstation]]<br />
* [[Bridge filtering]]<br />
* [[Multiple NATs using nftables maps]]<br />
* [[Classic perimetral firewall example]]<br />
* [[Port knocking example]]<br />
* [[Classification to tc structure example]] - WIP<br />
<br />
= Development progress =<br />
<br />
* [[List of updates since Linux kernel 3.13]]<br />
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]<br />
* [[List of available translations via iptables-translate tool]]<br />
<br />
= External links =<br />
<br />
Watch some videos:<br />
<br />
* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.<br />
* Watch [https://www.youtube.com/watch?v=CaYp0d2wiuU#t=1m47s The ultimate packet classifier for GNU/Linux], thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.<br />
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]<br />
* Watch [https://www.youtube.com/watch?v=qXVOA2MKA1s Netdev 2.1 - Netfilter workshop]<br />
* Watch [https://youtu.be/iCj10vEKPrw Netdev 2.2 - Netfilter mini-workshop]<br />
* Watch [https://youtu.be/0hqfzp6tpZo Netdev 0x12 - Netfilter mini-workshop]<br />
* Watch [https://www.youtube.com/watch?v=0wQfSfDVN94 NLUUG - Goodbye iptables, Hello nftables]<br />
* Watch [https://www.youtube.com/watch?v=Uf5ULkEWPL0 LCA2018 - nftables from a user perspective]<br />
<br />
Additional documentations and articles:<br />
<br />
* Tutorial [https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ Extending nftables by Xiang Gao]<br />
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables]<br />
<br />
= Thanks =<br />
<br />
To the NLnet foundation for initial sponsorship of this HOWTO:<br />
<br />
[https://nlnet.nl https://nlnet.nl/image/logo.gif]<br />
<br />
To Eric Leblond, for boostrapping the [https://home.regit.org/netfilter-en/nftables-quick-howto/ Nftables quick howto] in 2013.</div>
Vaclavz