Difference between revisions of "Sets"

From nftables wiki
Jump to navigation Jump to search
(Created page with "''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the represe...")
 
m (Fixed typo: dport 22 -> dport 23)
Line 54: Line 54:


<source lang="bash">
<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT

Revision as of 12:27, 24 November 2016

nftables comes with a built-in generic set infrastructure that allows you to use any supported selector to build sets. This infrastructure makes possible the representation of dictionaries and maps.

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

Anonymous sets

Anonymous sets are those that are:

  • Bound to a rule, if the rule is removed, that set is released too.
  • They have no specific name, the kernel internally allocates an identifier.
  • They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

% nft add rule filter output tcp dport { 22, 23 } counter

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

Named sets

You can create the named sets with the following command:

% nft add set filter blackhole { type ipv4_addr\;}

Note that blackhole is the name of the set in this case. The type option indicates the data type that this set stores, which is an IPv4 address in the case. Current maximum name length is 16 characters.

% nft add element filter blackhole { 192.168.3.4 }
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }

Then, you can use it from the rule:

% nft add rule ip input ip saddr @blackhole drop

The supported data types currently are:

  • ipv4_addr: IPv4 address
  • ipv6_addr: IPv6 address.
  • ether_addr: Ethernet address.
  • inet_proto: Inet protocol type.
  • inet_service: Internet service (read tcp port for example)
  • mark: Mark type.

Named sets can be updated anytime, so you can add and delete element from them.

Eric Leblond in his Why you will love nftables article shows a very simple example to compare iptables with nftables:

ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT

Which can be expressed in nftables with a couple of rules that provide a set:

% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

Listing named sets

You can list the content of a named set via:

% nft list set filter myset