Nftables families: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(→‎inet: typo)
 
(19 intermediate revisions by 5 users not shown)
Line 1: Line 1:
nftables '''families''' are a new concept introduced with this technology which was previously missing in the iptables world.
[https://netfilter.org/ Netfilter] enables filtering at multiple [https://en.wikipedia.org/wiki/Internet_protocol_suite networking levels]. With iptables there is a separate tool for each level: ''iptables'', ''ip6tables'', ''arptables'', ''ebtables''. With nftables the multiple networking levels are abstracted into '''families''', all of which are served by the single tool ''nft''.
You may already know that the nftables framework is designed to work with all typical address families (IPv4, IPv6, ARP).
In the past, all the families were handled by different tools: iptables, ip6tables, arptables, ebtables.


Please note that what traffic/packets you see and at which point in the network stack depends on the '''chain hook''' you are using.
Please note that what traffic/packets you see and at which point in the network stack depends on the [[Netfilter_hooks|'''hook''']] you are using.
You can create tables/chains/sets/rules in any family with the '''nft''' command line interface, out of the box, no need for different tools.
 
Additional families may be added in the future for extended nftables functionalities.
Following are descriptions of current nftables families. Additional families may be added in the future.


== ip ==
== ip ==


Tables of this family will see IPv4 traffic/packets.
Tables of this family see [https://en.wikipedia.org/wiki/IPv4 IPv4] traffic/packets.
The iptables tool was the equivalent in the old x_tables world.
The ''iptables'' tool is the legacy x_tables equivalent.


== ip6 ==
== ip6 ==


Tables of this family will see IPv6 traffic/packets.
Tables of this family see [https://en.wikipedia.org/wiki/IPv6 IPv6] traffic/packets.
The ip6tables tool was the equivalent in the old x_tables world.
The ''ip6tables'' tool is the legacy x_tables equivalent.


== inet ==
== inet ==


Tables of this family will see both IPv4/IPv6 traffic/packets, designed to improve dual stack support.
Tables of this family see both IPv4 and IPv6 traffic/packets, simplifying dual stack support.
Mixing iptables and ip6tables rules in the same box was the equivalent in the old x_tables world.


Both IPv4/IPv6 packets will traverse the same rules. Rules for IPv4 packets won't affect IPv6 packets.
Within a table of ''inet'' family, both IPv4 and IPv6 packets traverse the same rules. Rules for IPv4 packets don't affect IPv6 packets and vice-versa. Rules for both layer 3 protocols affect both. Use [[Matching_packet_headers#Matching_transport_protocol|meta l4proto]] l4proto to match on the layer 4 protocol, regardless of whether the packet is IPv4 or IPv6.
Rules for both L3 protocol will affect both.


Examples:
Examples:
<source>
<source>
# this rule only affects IPv4 packets
# This rule affects only IPv4 packets:
add rule inet filter input ip saddr 1.1.1.1 counter accept  
add rule inet filter input ip saddr 1.1.1.1 counter accept
# this rule only affects IPv6 packets
 
# This rule affects only IPv6 packets:
add rule inet filter input ip6 daddr fe00::2 counter accept
add rule inet filter input ip6 daddr fe00::2 counter accept
# these rules affects both IPv4/IPv6 packets
 
# These rules affect both IPv4 and IPv6 packets:
add rule inet filter input ct state established,related counter accept
add rule inet filter input ct state established,related counter accept
add rule inet filter input udp dport 53 accept
add rule inet filter input udp dport 53 accept
</source>
</source>
New in nftables 0.9.7 and Linux kernel 5.10 is the inet family [[Netfilter_hooks|''ingress'']] hook, which filters at the same location as the netdev ''ingress'' hook.


== arp ==
== arp ==


Tables of this family will see ARP-level (i.e, L2) traffic, before any L3 handling is done by the kernel.
Tables of this family see [https://en.wikipedia.org/wiki/Address_Resolution_Protocol ARP]-level (i.e, L2) traffic, before any L3 handling is done by the kernel. The ''arptables'' tool is the legacy x_tables equivalent.
The arptables tool was the equivalent in the old x_tables world.


== bridge ==
== bridge ==


Tables of this family will see traffic/packets traversing bridges (i.e. switching). No assumptions are made about L3 protocols.
Tables of this family see traffic/packets traversing [https://wiki.linuxfoundation.org/networking/bridge bridges] (i.e. switching). No assumptions are made about L3 protocols.
The ebtables tool was the equivalent in the old x_tables world.
 
Also, some old x_tables modules such as ''physdev'' will eventually be served natively from this family.
The ''ebtables'' tool is the legacy x_tables equivalent. Some old x_tables modules such as ''physdev'' will also eventually be served from the nftables ''bridge'' family.


Note that there is no nf_conntrack integration for this family. However this may change in the future.
Note that there is no nf_conntrack integration for the nftables ''bridge'' family.


== netdev ==
== netdev ==


Tables of this family will see packets that the driver has just passed up to the networking stack, this means you see all traffic getting in into devices. Therefore, you can filter ARP traffic from here too.
The ''netdev'' family is different from the others in that it is used to create base chains attached to a '''single network interface'''. Such base chains see '''all''' network traffic on the specified interface, with no assumptions about L2 or L3 protocols. Therefore you can filter ARP traffic from here. There is no legacy x_tables equivalent to the ''netdev'' family.


Note that there is no equivalent in the old iptables world, this is a new feature available since 4.2 for nftables.
The principal (only?) use for this family is for base chains using the [[Netfilter_hooks|''ingress'' hook]], new in Linux kernel 4.2. Such ''ingress'' chains see network packets just after the NIC driver passes them up to the networking stack. This very early location in the packet path is ideal for dropping packets associated with [https://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack DDoS] attacks. Dropping packets from an ''ingress'' chain is twice as efficient as doing so from a ''prerouting'' chain.  (Do note that in an ''ingress'' chain, fragmented datagrams have not yet been reassembled. So, for example, matching ip saddr and daddr works for all ip packets, but matching L4 headers like udp dport works only for unfragmented packets, or the first fragment.)


This family provides the ingress hook. This location is ideal to drop packets that result from DDOS attacks given this is very early in the packet path. Dropping packets from here is much more efficient than from the classic prerouting chain, by a factor of 2x.
The ''ingress'' hook provides an alternative to ''tc'' ingress filtering. You still need ''tc'' for traffic shaping/queue management.  


You can also use it for [[load balancing]], including Direct Server Return (DSR), [https://netdevconf.org/1.2/slides/oct6/08_nftables_Load_Balancing_with_nftables_II_Slides.pdf that has been reported 10x faster].
You can also use the ''ingress'' hook for [[load balancing]], including Direct Server Return (DSR), [https://netdevconf.org/1.2/slides/oct6/08_nftables_Load_Balancing_with_nftables_II_Slides.pdf that has been reported to be 10x faster].

Latest revision as of 18:13, 29 May 2024

Netfilter enables filtering at multiple networking levels. With iptables there is a separate tool for each level: iptables, ip6tables, arptables, ebtables. With nftables the multiple networking levels are abstracted into families, all of which are served by the single tool nft.

Please note that what traffic/packets you see and at which point in the network stack depends on the hook you are using.

Following are descriptions of current nftables families. Additional families may be added in the future.

ip

Tables of this family see IPv4 traffic/packets. The iptables tool is the legacy x_tables equivalent.

ip6

Tables of this family see IPv6 traffic/packets. The ip6tables tool is the legacy x_tables equivalent.

inet

Tables of this family see both IPv4 and IPv6 traffic/packets, simplifying dual stack support.

Within a table of inet family, both IPv4 and IPv6 packets traverse the same rules. Rules for IPv4 packets don't affect IPv6 packets and vice-versa. Rules for both layer 3 protocols affect both. Use meta l4proto l4proto to match on the layer 4 protocol, regardless of whether the packet is IPv4 or IPv6.

Examples:

# This rule affects only IPv4 packets:
add rule inet filter input ip saddr 1.1.1.1 counter accept

# This rule affects only IPv6 packets:
add rule inet filter input ip6 daddr fe00::2 counter accept

# These rules affect both IPv4 and IPv6 packets:
add rule inet filter input ct state established,related counter accept
add rule inet filter input udp dport 53 accept

New in nftables 0.9.7 and Linux kernel 5.10 is the inet family ingress hook, which filters at the same location as the netdev ingress hook.

arp

Tables of this family see ARP-level (i.e, L2) traffic, before any L3 handling is done by the kernel. The arptables tool is the legacy x_tables equivalent.

bridge

Tables of this family see traffic/packets traversing bridges (i.e. switching). No assumptions are made about L3 protocols.

The ebtables tool is the legacy x_tables equivalent. Some old x_tables modules such as physdev will also eventually be served from the nftables bridge family.

Note that there is no nf_conntrack integration for the nftables bridge family.

netdev

The netdev family is different from the others in that it is used to create base chains attached to a single network interface. Such base chains see all network traffic on the specified interface, with no assumptions about L2 or L3 protocols. Therefore you can filter ARP traffic from here. There is no legacy x_tables equivalent to the netdev family.

The principal (only?) use for this family is for base chains using the ingress hook, new in Linux kernel 4.2. Such ingress chains see network packets just after the NIC driver passes them up to the networking stack. This very early location in the packet path is ideal for dropping packets associated with DDoS attacks. Dropping packets from an ingress chain is twice as efficient as doing so from a prerouting chain. (Do note that in an ingress chain, fragmented datagrams have not yet been reassembled. So, for example, matching ip saddr and daddr works for all ip packets, but matching L4 headers like udp dport works only for unfragmented packets, or the first fragment.)

The ingress hook provides an alternative to tc ingress filtering. You still need tc for traffic shaping/queue management.

You can also use the ingress hook for load balancing, including Direct Server Return (DSR), that has been reported to be 10x faster.