Difference between revisions of "Atomic rule replacement"

From nftables wiki
Jump to: navigation, search
(Add notes for how flush behaves when including multiple files)
m (Atomic Rule Replacement: rule-set -> ruleset)
 
(5 intermediate revisions by 2 users not shown)
Line 5: Line 5:
 
== Atomic Rule Replacement ==
 
== Atomic Rule Replacement ==
  
You can use the ''-f'' option to atomically update your rule-set:
+
You can use the ''-f'' option to atomically update your ruleset:
  
 
<source lang="bash">
 
<source lang="bash">
Line 11: Line 11:
 
</source>
 
</source>
  
Where ''file'' contains your rule-set.
+
Where ''file'' contains your ruleset.
  
You can save your rule-set by storing the existing listing in a file, ie.
+
You can save your ruleset by storing the existing listing in a file, ie.
  
 
<source lang="bash">
 
<source lang="bash">
Line 25: Line 25:
 
</source>
 
</source>
  
'''Notes:'''
+
=== Notes ===
  
'''''Table Creation''''' - you may have to create the table with ''nft create table ip filter'' before you can load the file exported with ''nft list table filter > filter-table'' otherwise you will hit errors because the table does not exist.
+
Please, take these notes into consideration:
  
'''''Comments''''' - You can also add comments to the ''filter-table'' file. Comments are bash style, starting with # and go to the end of the line.
+
* Table Creation: you may have to create the table with ''nft create table ip filter'' before you can load the file exported with ''nft list table filter > filter-table'' otherwise you will hit errors because the table does not exist. Newer nftables releases behave with more consistency regarding this.
  
'''''Duplicate Rules''''' - If you prepend the ''flush table filter'' line at the very beginning of the ''filter-table'' file, you achieve atomic rule-set replacement equivalent to what ''iptables-restore'' provides. The kernel handles the rule commands in the file in one single transaction, so basically the flushing and the load of the new rules happens in one single shot. If you choose not to flush your tables then you will see duplicate rules for each time you reloaded the config.
+
* Duplicate Rules: If you prepend the ''flush table filter'' line at the very beginning of the ''filter-table'' file, you achieve atomic ruleset replacement equivalent to what ''iptables-restore'' provides. The kernel handles the rule commands in the file in one single transaction, so basically the flushing and the load of the new rules happens in one single shot. If you choose not to flush your tables then you will see duplicate rules for each time you reloaded the config.
  
'''''Flushing Sets''''' - ''flush table filter'' will not flush any sets defined in that table. To flush sets as well, use ''flush ruleset'' (not available in Linux 3.16 or below) or delete the sets explicitly. Early versions (Linux <=3.16) do not allow you to import a set if it already exists, but this is allowed in later versions.
+
* Flushing Sets: ''flush table filter'' will not flush any sets defined in that table. To flush sets as well, use ''flush ruleset'' (available since Linux 3.17 ) or delete the sets explicitly. Early versions (Linux <=3.16) do not allow you to import a set if it already exists, but this is allowed in later versions.
  
'''''Nftables Config File Formats''''' - ''nft -f <filename>'' accepts 2 formats, the first is the format seen in the output of ''nft list table''. The second is [[Scripting]] and is the format you typically see on this website.
+
* What happens when you include 2 files which each have a statement for the filter table? If you have two included files both with statements for the filter table, but one adds a rule allowing traffic from 192.168.1.1 and the other allows traffic from 192.168.1.2 then both rules will be included in the chain, even if one or both files contains a flush statement.
  
Example of nftables output format:
+
* What about flush statements in either, or neither file? If there are any flush commands in any included file then those will be run at the moment the config swap is executed, not at the moment the file is loaded. If you do not include a flush statement in any included file, you will get duplicate rules. If you do include a flush statement, you will not get duplicate rules and the config from *both* files will be included.
  
<source lang="bash">
+
== See also ==
% nft list table ip nat
 
table ip nat {
 
chain prerouting {
 
type filter hook prerouting priority 0; policy accept;
 
}
 
 
 
chain postrouting {
 
type filter hook postrouting priority 100; policy accept;
 
}
 
}
 
</source>
 
 
 
Example of scripted config format:
 
 
 
<source lang="bash">
 
% nft add table nat
 
% nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
 
% nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
 
</source>
 
 
 
'''Combining multiple files'''
 
 
 
''What happens when you include 2 files which each have a statement for the filter table?''
 
 
 
If you have two files, both ''include''d, both with statements for the filter table, but one adds a rule allowing traffic from 192.168.1.1 and the other allows traffic from 192.168.1.2 then both rules will be included in the chain, even if one or both files contains a flush statement.
 
 
 
''What about flush statements in either, or neither file?''
 
 
 
If there are any flush commands in any included file then those will be run at the moment the config swap is executed, not at the moment the file is loaded. If you do not include a flush statement in any included file, you will get duplicate rules. If you do include a flush statement, you will not get duplicate rules and the config from *both* files will be included.
 
  
'''Converting between formats'''
+
Some additional valuable information:
  
The easiest way to convert from scripted config format to output-based is to run the commands and then show the nftables config with  ''nft list table ip filter'' and then copy/paste that into your config file.
+
* [[Scripting]]
The easiest way to convert from output-based to scripted based is to lookup the equivalent on this wiki.
+
* [[Operations at ruleset level]]

Latest revision as of 17:46, 13 February 2021

Warning about Shell scripting + nftables

With iptables it was common to use a bash script comprised of multiple iptables commands to configure a firewall. This is sub-optimal because it is not atomic, that is to say that during the few fractions of a second that your bash script takes to run your firewall is in a partially configured state. Nftables introduces atomic rule replacement with the -f option. This is different from bash scripts because nftables will read in all of the included config files, create the config object in memory alongside the existing config, and then in one atomic operation it swaps the old config for the new one meaning there is no moment when the firewall is partially configured.

Atomic Rule Replacement

You can use the -f option to atomically update your ruleset:

% nft -f file

Where file contains your ruleset.

You can save your ruleset by storing the existing listing in a file, ie.

% nft list table filter > filter-table

Then you can restore it by using the -f option:

% nft -f filter-table

Notes

Please, take these notes into consideration:

  • Table Creation: you may have to create the table with nft create table ip filter before you can load the file exported with nft list table filter > filter-table otherwise you will hit errors because the table does not exist. Newer nftables releases behave with more consistency regarding this.
  • Duplicate Rules: If you prepend the flush table filter line at the very beginning of the filter-table file, you achieve atomic ruleset replacement equivalent to what iptables-restore provides. The kernel handles the rule commands in the file in one single transaction, so basically the flushing and the load of the new rules happens in one single shot. If you choose not to flush your tables then you will see duplicate rules for each time you reloaded the config.
  • Flushing Sets: flush table filter will not flush any sets defined in that table. To flush sets as well, use flush ruleset (available since Linux 3.17 ) or delete the sets explicitly. Early versions (Linux <=3.16) do not allow you to import a set if it already exists, but this is allowed in later versions.
  • What happens when you include 2 files which each have a statement for the filter table? If you have two included files both with statements for the filter table, but one adds a rule allowing traffic from 192.168.1.1 and the other allows traffic from 192.168.1.2 then both rules will be included in the chain, even if one or both files contains a flush statement.
  • What about flush statements in either, or neither file? If there are any flush commands in any included file then those will be run at the moment the config swap is executed, not at the moment the file is loaded. If you do not include a flush statement in any included file, you will get duplicate rules. If you do include a flush statement, you will not get duplicate rules and the config from *both* files will be included.

See also

Some additional valuable information: