Difference between revisions of "Simple rule management"

From nftables wiki
Jump to navigation Jump to search
(Created page with "= Appending new rules = To add new rules, you have to specify the corresponding table and the chain that you want to use, eg. <source lang="bash"> % nft add rule filter outp...")
 
Line 233: Line 233:
</source>
</source>


You can effective note that the rule has been replaced by a simple rule that count any packets, instead of counting TCP packets as the previous rule was doing.
You can effective note that the rule has been replaced by a simple rule that counts any packets, instead of counting TCP packets as the previous rule was doing.

Revision as of 01:54, 7 October 2017

Appending new rules

To add new rules, you have to specify the corresponding table and the chain that you want to use, eg.

% nft add rule filter output ip daddr 8.8.8.8 counter

Where filter is the table and output is the chain. The example above adds a rule to match all packets seen by the output chain whose destination is 8.8.8.8, in case of matching it updates the rule counters. Note that counters are optional in nftables.

For those familiar with iptables, the rule appending is equivalent to -A command in iptables.

Listing rules

You can list the rules that are contained by a table with the following command:

% nft list table filter
table ip filter {
        chain input {
                 type filter hook input priority 0;
        }

        chain output {
                 type filter hook output priority 0;
                 ip daddr google-public-dns-a.google.com counter packets 0 bytes 0
        }
}

Assuming we also add a rule that uses a port:

% nft add rule filter output tcp dport ssh counter

You can disable host name resolution via using the -n option:

% nft list -n table filter
table ip filter {
        chain input {
                 type filter hook input priority 0;
        }

        chain output {
                 type filter hook output priority 0;
                 ip daddr 8.8.8.8 counter packets 0 bytes 0
                 tcp dport ssh counter packets 0 bytes 0
        }
}

You can also disable service name resolution via -nn:

% nft list -nn table filter
table ip filter {
        chain input {
                 type filter hook input priority 0;
        }

        chain output {
                 type filter hook output priority 0;
                 ip daddr 8.8.8.8 counter packets 0 bytes 0
                 tcp dport 22 counter packets 0 bytes 0
        }
}

Testing your rule

Let's test this rule with a simple ping to 192.168.1.1:

% ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=64 time=1.31 ms

Then, if we list the rule-set, we obtain:

% nft -nn list table filter
table ip filter {
        chain input {
                 type filter hook input priority 0;
        }

        chain output {
                 type filter hook output priority 0;
                 ip daddr 8.8.8.8 counter packets 1 bytes 84
                 tcp dport 22 counter packets 0 bytes 0
        }
}

Note that the counters have been updated.

Adding a rule at a given position

If you want to add a rule at a given position, you have to use the handle as reference:

% nft list table filter -n -a
table filter {
        chain output {
                 type filter hook output priority 0;
                 ip protocol tcp counter packets 82 bytes 9680 # handle 8
                 ip saddr 127.0.0.1 ip daddr 127.0.0.6 drop # handle 7
        }
}

If you want to add a rule after the rule with handler number 8, you have to type:

% nft add rule filter output position 8 ip daddr 127.0.0.8 drop

Now, you can check the effect of that command by listing the rule-set:

% nft list table filter -n -a
table filter {
        chain output {
                 type filter hook output priority 0;
                 ip protocol tcp counter packets 190 bytes 21908 # handle 8
                 ip daddr 127.0.0.8 drop # handle 10
                 ip saddr 127.0.0.1 ip daddr 127.0.0.6 drop # handle 7
        }
}

If you want to insert a rule before the rule with handler number 8, you have to type:

% nft insert rule filter output position 8 ip daddr 127.0.0.8 drop

Removing rules

You have to obtain the handle to delete a rule via the -a option. The handle is automagically assigned by the kernel and it uniquely identifies the rule.

% nft list table filter -a
table ip filter {
        chain input {
                 type filter hook input priority 0;
        }

        chain output {
                 type filter hook output priority 0;
                 ip daddr 192.168.1.1 counter packets 1 bytes 84 # handle 5
        }
}

You can delete the rule whose handle is 5 with the following command:

% nft delete rule filter output handle 5

Note: There are plans to support rule deletion by passing:

% nft delete rule filter output ip saddr 192.168.1.1 counter

but this is not yet implemented. So you'll have to use the handle to delete rules until that feature is implemented.

Removing all the rules in a chain

You can delete all the rules in a chain with the following command:

% nft delete rule filter output

You can also delete all the rules in a table with the following command:

% nft flush table filter

Prepending new rules

To prepend new rules through the insert command:

% nft insert rule filter output ip daddr 192.168.1.1 counter

This prepends a rule that will update per-rule packet and bytes counters for traffic addressed to 192.168.1.1.

The equivalent in iptables is:

% iptables -I OUTPUT -t filter -d 192.168.1.1

Note that iptables always provides per-rule counters.

Replacing rules

You can replace any rule via the replace command by indicating the rule handle. Therefore, first you have to list the ruleset with option -a to obtain the rule handle.

# nft list ruleset -a
table ip filter {
        chain input {
                type filter hook input priority 0; policy accept;
                ip protocol tcp counter packets 0 bytes 0 # handle 2
        }
}

Then, assuming you want to replace rule with handle number 2, you have to specify this handle number and the new rule that you want to place instead of it:

nft replace rule filter input handle 2 counter

Then, when listing back the ruleset:

# nft list ruleset -a
table ip filter {
        chain input {
                counter packets 0 bytes 0 
        }
}

You can effective note that the rule has been replaced by a simple rule that counts any packets, instead of counting TCP packets as the previous rule was doing.