Classification to tc structure example: Difference between revisions
Jump to navigation
Jump to search
Line 109: | Line 109: | ||
= Basic nftables commands = | = Basic nftables commands = | ||
* executed using nft -f filename.nft - or using function nft_run_cmd_from_buffer - libnftables | * executed using '''nft -f filename.nft''' - or using function ''nft_run_cmd_from_buffer'' - libnftables | ||
<source> | <source> | ||
add table ip filter | add table ip filter |
Revision as of 13:01, 13 April 2019
Introduction
- nftables can replace not even iptables, but it can be used to replace very poorly documented tc filter rules and allow user to classify packets into tc class / qdisc infrastructure.
- There is also support for sets and maps (with much cleaner and more intuitive behavior than in tc filter), which has very good impact on performance in large filtering structures, because they use hashing to get correct value.
- action used to classify packets into tc structure is meta set priority "1:0x2" - 0x can be omitted, but it remembers one it is hex number - double quotes are required
- Note that, unlike iptables or tc filter, you can perform several actions in one single rule and match several informations - counter is must have for debugging
- You will have to redesign your rule structure to benefit from these new nice features.
example:
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0
packet:
source address 8.8.8.8 destination address 10.20.255.50
- meta priority none - matches packet only when there is no priority - tc class id - set yet
- ip saddr @priority_set - matches packet only when source IP address is listed in the set named priority_set - in our case 8.8.8.8 or 8.8.4.4 - can be subnet too
- meta priority set ip daddr map @group_114_prio - sets priority to packet based on its destination address, which is read from map named group_114_prio - sets priority to 1:ffd9
Basic prototype - tc class structure
+---(1:) hfsc
+---(router:root#1:1) hfsc ls m1 0bit d 0us m2 524288Kbit ul m1 0bit d 0us m2 524288Kbit
+---(router:shaper#1:2) hfsc ls m1 0bit d 0us m2 8192bit ul m1 0bit d 0us m2 524288Kbit
+---(router:10.20.0.11#1:3) hfsc ls m1 0bit d 0us m2 1432bit ul m1 0bit d 0us m2 524288Kbit
| +---(group:114#1:72) hfsc ls m1 0bit d 0us m2 240bit ul m1 0bit d 0us m2 62914Kbit
| | +---(shape:1141#1:ffda) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit
| | | +---(prio:1141#1:ffd9) hfsc ls m1 160bit d 24.0s m2 112bit
| | | +---(normal:1141#1:ffd8) hfsc ls m1 80bit d 12.0s m2 56bit
| | |
| | +---(shape:1143#1:ffd4) hfsc rt m1 0bit d 0us m2 1572Kbit ls m1 80bit d 12.0s m2 56bit ul m1 62914Kbit d 360.0s m2 31457Kbit
| | | +---(prio:1143#1:ffd3) hfsc ls m1 160bit d 24.0s m2 112bit
| | | +---(normal:1143#1:ffd2) hfsc ls m1 80bit d 12.0s m2 56bit
|
|
+---(router:untracked#1:ffff) hfsc ls m1 0bit d 0us m2 16bit ul m1 0bit d 0us m2 10485Kbit
Basic prototype - tc qdisc structure
qdisc hfsc 1: root refcnt 2 default 2
qdisc fq_codel 2: parent router:shaper#1:2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn
qdisc fq_codel ffd2: parent normal:1143#1:ffd2 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn
qdisc fq_codel ffd3: parent prio:1143#1:ffd3 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn
qdisc fq_codel ffd8: parent normal:1141#1:ffd8 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn
qdisc fq_codel ffd9: parent prio:1141#1:ffd9 limit 1024p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn
qdisc fq_codel ffff: parent router:untracked#1:ffff limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn
Basic prototype - nftables structure
table ip filter { map subnet_map { type ipv4_addr : verdict flags interval elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114, 10.20.255.128/29 : goto group_114 } } set priority_set { type ipv4_addr flags interval elements = { 8.8.8.8, 8.8.4.4 } } map group_114 { type ipv4_addr : classid flags interval elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5, 10.20.255.130 : 1:ffd2 } } map group_114_prio { type ipv4_addr : classid flags interval elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6, 10.20.255.130 : 1:ffd3 } } chain forward { type filter hook forward priority filter; policy accept; meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0 meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0 ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " } chain input { type filter hook input priority filter; policy accept; meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195 } chain output { type filter hook output priority filter; policy accept; meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859 } chain group_114 { meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0 meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0 meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0 meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - " } }
Basic nftables commands
- executed using nft -f filename.nft - or using function nft_run_cmd_from_buffer - libnftables
add table ip filter
add chain ip filter forward { type filter hook forward priority 0; policy accept; }
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }
add set ip filter priority_set { type ipv4_addr; flags interval; }
add element ip filter priority_set {8.8.8.8 }
add element ip filter priority_set {8.8.4.4 }
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - "
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - "
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - "
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - "
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - "
add chain ip filter input { type filter hook input priority 0; policy accept; }
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter
add chain ip filter output { type filter hook output priority 0; policy accept; }
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter
add chain ip filter group_114
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - "
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }
Packet processing
- packet passing through server is handled in forward chain
- hook forward does the magic, not the name of the chain
- priority filter can be used in newer versions of nftables > 0.9.0
- packet is matched against subnet_map - it is verdict map
- it contains decision on where to send the packet for further processing when matched
chain forward { type filter hook forward priority filter; policy accept; meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0 meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0 ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - " ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - " ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - " meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - " }
Additional documentations and articles
- this article can help a lot during definition of redesigned rule structure, it shows performance with different setup of rules, yet it tels almost nothing about classification itself
- https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/
- very good source of information is man page - it can be generated as pdf - in source code nftables/doc/build_pdfs.sh
- there is not much information about tc classification