diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..25d867d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/nftables-0.6.tar.bz2 diff --git a/.nftables.metadata b/.nftables.metadata new file mode 100644 index 0000000..641ee93 --- /dev/null +++ b/.nftables.metadata @@ -0,0 +1 @@ +c0f90a208e0ab5d43d3e638350a4fe58e6f4366f SOURCES/nftables-0.6.tar.bz2 diff --git a/README.md b/README.md deleted file mode 100644 index 98f42b4..0000000 --- a/README.md +++ /dev/null @@ -1,4 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/nft.8 b/SOURCES/nft.8 new file mode 100644 index 0000000..57d4da8 --- /dev/null +++ b/SOURCES/nft.8 @@ -0,0 +1,2042 @@ +.\" t +.\" -*- coding: us-ascii -*- +.if \n(.g .ds T< \\FC +.if \n(.g .ds T> \\F[\n[.fam]] +.de URL +\\$2 \(la\\$1\(ra\\$3 +.. +.if \n(.g .mso www.tmac +.TH nft 8 "29 June 2016" "" "" +.SH NAME +nft \- Administration tool for packet filtering and classification +.SH SYNOPSIS +'nh +.fi +.ad l +\fBnft\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[ +\fB-n | --numeric\fR +] [ +\fB[-I | --includepath]\fR +\fIdirectory\fR +] [ +\fB[-f | --file]\fR +\fIfilename\fR +| +\fB[-i | --interactive]\fR +| +\fIcmd\fR +\&...] +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fBnft\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[ +\fB-h | --help\fR +] [ +\fB-v | --version\fR +] +'in \n(.iu-\nxu +.ad b +'hy +.SH DESCRIPTION +nft is used to set up, maintain and inspect packet +filtering and classification rules in the Linux kernel. +.SH OPTIONS +For a full summary of options, run \fBnft --help\fR. +.TP +\*(T<\fB\-h, \-\-help\fR\*(T> +Show help message and all options. +.TP +\*(T<\fB\-v, \-\-version\fR\*(T> +Show version. +.TP +\*(T<\fB\-n, \-\-numeric\fR\*(T> +Numeric output: Addresses and other information +that might need network traffic to resolve to symbolic names +are shown numerically (default behaviour). When used twice, +internet services are translated. When used twice, internet +services and UIDs/GIDs are also shown numerically. When used +three times, protocol numbers are also shown numerically. +.TP +\*(T<\fB\-N\fR\*(T> +Translate IP addresses to DNS names. +.TP +\*(T<\fB\-a, \-\-handle\fR\*(T> +Show rule handles in output. +.TP +\*(T<\fB\-I, \-\-includepath \fR\*(T>\fIdirectory\fR +Add the directory \fIdirectory\fR to the list of directories to be searched for included files. +.TP +\*(T<\fB\-f, \-\-file \fR\*(T>\fIfilename\fR +Read input from \fIfilename\fR. +.TP +\*(T<\fB\-i, \-\-interactive\fR\*(T> +Read input from an interactive readline CLI. +.SH "INPUT FILE FORMAT" +.SS "LEXICAL CONVENTIONS" +Input is parsed line-wise. When the last character of a line, just before +the newline character, is a non-quoted backslash (\*(T<\e\*(T>), +the next line is treated as a continuation. Multiple commands on the +same line can be separated using a semicolon (\*(T<;\*(T>). +.PP +A hash sign (\*(T<#\*(T>) begins a comment. All following characters +on the same line are ignored. +.PP +Identifiers begin with an alphabetic character (\*(T), +followed zero or more alphanumeric characters (\*(T) +and the characters slash (\*(T), backslash (\*(T<\e\*(T>), +underscore (\*(T<_\*(T>) and dot (\*(T<.\*(T>). Identifiers +using different characters or clashing with a keyword need to be enclosed in +double quotes (\*(T<"\*(T>). +.PP +.SS "INCLUDE FILES" +'nh +.fi +.ad l +\fBinclude\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +\fIfilename\fR +'in \n(.iu-\nxu +.ad b +'hy +.PP +Other files can be included by using the \fBinclude\fR statement. +The directories to be searched for include files can be specified using +the \*(T<\fB\-I/\-\-includepath\fR\*(T> option. +.SS "SYMBOLIC VARIABLES" +'nh +.fi +.ad l +\fBdefine\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +variable \fIexpr\fR +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +\fB$variable\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +'in \n(.iu-\nxu +.ad b +'hy +.PP +Symbolic variables can be defined using the \fBdefine\fR statement. +Variable references are expressions and can be used initialize other variables. +The scope of a definition is the current block and all blocks contained within. + +\fBUsing symbolic variables\fR +.PP +.nf +\*(T< +define int_if1 = eth0 +define int_if2 = eth1 +define int_ifs = { $int_if1, $int_if2 } + +filter input iif $int_ifs accept + \*(T> +.fi +.SH "ADDRESS FAMILIES" +Address families determine the type of packets which are processed. For each address +family the kernel contains so called hooks at specific stages of the packet processing +paths, which invoke nftables if rules for these hooks exist. +.PP +.TP +\*(T<\fBip\fR\*(T> +IPv4 address family. +.TP +\*(T<\fBip6\fR\*(T> +IPv6 address family. +.TP +\*(T<\fBinet\fR\*(T> +Internet (IPv4/IPv6) address family. +.TP +\*(T<\fBarp\fR\*(T> +ARP address family, handling packets vi +.TP +\*(T<\fBbridge\fR\*(T> +Bridge address family, handling packets which traverse a bridge device. +.TP +\*(T<\fBnetdev\fR\*(T> +Netdev address family, handling packets from ingress. +.PP +All nftables objects exist in address family specific namespaces, therefore +all identifiers include an address family. If an identifier is specified without +an address family, the \*(T family is used by default. +.SS "IPV4/IPV6/INET ADDRESS FAMILIES" +The IPv4/IPv6/Inet address families handle IPv4, IPv6 or both types of packets. They +contain five hooks at different packet processing stages in the network stack. +.PP +\fBIPv4/IPv6/Inet address family hooks\fR +.TS +allbox ; +l | l. +T{ +Hook +T} T{ +Description +T} +.T& +l | l. +T{ +prerouting +T} T{ +All packets entering the system are processed by the prerouting hook. It is invoked +before the routing process and is used for early filtering or changing packet +attributes that affect routing. +T} +T{ +input +T} T{ +Packets delivered to the local system are processed by the input hook. +T} +T{ +forward +T} T{ +Packets forwarded to a different host are processed by the forward hook. +T} +T{ +output +T} T{ +Packets sent by local processes are processed by the output hook. +T} +T{ +postrouting +T} T{ +All packets leaving the system are processed by the postrouting hook. +T} +.TE +.SS "ARP ADDRESS FAMILY" +The ARP address family handles ARP packets received and sent by the system. It is commonly used +to mangle ARP packets for clustering. +.PP +\fBARP address family hooks\fR +.TS +allbox ; +l | l. +T{ +Hook +T} T{ +Description +T} +.T& +l | l +l | l. +T{ +input +T} T{ +Packets delivered to the local system are processed by the input hook. +T} +T{ +output +T} T{ +Packets send by the local system are processed by the output hook. +T} +.TE +.SS "BRIDGE ADDRESS FAMILY" +The bridge address family handles ethernet packets traversing bridge devices. +.SS "NETDEV ADDRESS FAMILY" +The Netdev address family handles packets from ingress. +.PP +\fBNetdev address family hooks\fR +.TS +allbox ; +l | l. +T{ +Hook +T} T{ +Description +T} +.T& +l | l. +T{ +ingress +T} T{ +All packets entering the system are processed by this hook. It is invoked +before layer 3 protocol handlers and it can be used for early filtering and +policing. +T} +.TE +.SH TABLES +'nh +.fi +.ad l +{add | delete | list | flush} \fBtable\fR [\fIfamily\fR] {\fItable\fR} +.ad b +'hy +.PP +Tables are containers for chains and sets. They are identified by their address family +and their name. The address family must be one of +\*(T, \*(T, \*(T, \*(T, \*(T, \*(T. +The \*(T address family is a dummy family which is used to create +hybrid IPv4/IPv6 tables. +When no address family is specified, \*(T is used by default. +.TP +\*(T<\fBadd\fR\*(T> +Add a new table for the given family with the given name. +.TP +\*(T<\fBdelete\fR\*(T> +Delete the specified table. +.TP +\*(T<\fBlist\fR\*(T> +List all chains and rules of the specified table. +.TP +\*(T<\fBflush\fR\*(T> +Flush all chains and rules of the specified table. +.SH CHAINS +'nh +.fi +.ad l +{add} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fIhook\fR} {\fIpriority\fR} {\fIpolicy\fR} {\fIdevice\fR} +.ad b +'hy +'nh +.fi +.ad l +{add | create | delete | list | flush} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} +.ad b +'hy +'nh +.fi +.ad l +{rename} \fBchain\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {\fInewname\fR} +.ad b +'hy +.PP +Chains are containers for rules. They exist in two kinds, +base chains and regular chains. A base chain is an entry point for +packets from the networking stack, a regular chain may be used +as jump target and is used for better rule organization. +.TP +\*(T<\fBadd\fR\*(T> +Add a new chain in the specified table. When a hook and priority +value are specified, the chain is created as a base chain and hooked +up to the networking stack. +.TP +\*(T<\fBcreate\fR\*(T> +Simlar to the \fBadd\fR command, but returns an error if the +chain already exists. +.TP +\*(T<\fBdelete\fR\*(T> +Delete the specified chain. The chain must not contain any rules or be +used as jump target. +.TP +\*(T<\fBrename\fR\*(T> +Rename the specified chain. +.TP +\*(T<\fBlist\fR\*(T> +List all rules of the specified chain. +.TP +\*(T<\fBflush\fR\*(T> +Flush all rules of the specified chain. +.SH RULES +'nh +.fi +.ad l +[add | insert] \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} [position \fIposition\fR] {\fIstatement\fR}\&... +.ad b +'hy +'nh +.fi +.ad l +{delete} \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} {handle \fIhandle\fR} +.ad b +'hy +.PP +Rules are constructed from two kinds of components according to a set +of grammatical rules: expressions and statements. +.TP +\*(T<\fBadd\fR\*(T> +Add a new rule described by the list of statements. The rule is appended to the +given chain unless a position is specified, in which case the rule is appended to +the rule given by the position. +.TP +\*(T<\fBinsert\fR\*(T> +Similar to the \fBadd\fR command, but the rule is prepended to the +beginning of the chain or before the rule at the given position. +.TP +\*(T<\fBdelete\fR\*(T> +Delete the specified rule. +.SH EXPRESSIONS +Expressions represent values, either constants like network addresses, port numbers etc. or data +gathered from the packet during ruleset evaluation. Expressions can be combined using binary, +logical, relational and other types of expressions to form complex or relational (match) expressions. +They are also used as arguments to certain types of operations, like NAT, packet marking etc. +.PP +Each expression has a data type, which determines the size, parsing and representation of +symbolic values and type compatibility with other expressions. +.SS "DESCRIBE COMMAND" +'nh +.fi +.ad l +\fBdescribe\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{\fIexpression\fR} +'in \n(.iu-\nxu +.ad b +'hy +.PP +The \fBdescribe\fR command shows information about the type of an expression and +its data type. +.PP +\fBThe describe command\fR +.PP +.nf +\*(T< +$ nft describe tcp flags +payload expression, datatype tcp_flag (TCP flag) (basetype bitmask, integer), 8 bits + +pre\-defined symbolic constants: +fin 0x01 +syn 0x02 +rst 0x04 +psh 0x08 +ack 0x10 +urg 0x20 +ecn 0x40 +cwr 0x80 + \*(T> +.fi +.SH "DATA TYPES" +Data types determine the size, parsing and representation of symbolic values and type compatibility +of expressions. A number of global data types exist, in addition some expression types define further +data types specific to the expression type. Most data types have a fixed size, some however may have +a dynamic size, f.i. the string type. +.PP +Types may be derived from lower order types, f.i. the IPv4 address type is derived from the integer +type, meaning an IPv4 address can also be specified as an integer value. +.PP +In certain contexts (set and map definitions) it is necessary to explicitly specify a data type. +Each type has a name which is used for this. +.SS "INTEGER TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +Integer +T} T{ +integer +T} T{ +variable +T} T{ +- +T} +.TE +.PP +The integer type is used for numeric values. It may be specified as decimal, hexadecimal +or octal number. The integer type doesn't have a fixed size, its size is determined by the +expression for which it is used. +.SS "BITMASK TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +Bitmask +T} T{ +bitmask +T} T{ +variable +T} T{ +integer +T} +.TE +.PP +The bitmask type (\fBbitmask\fR) is used for bitmasks. +.SS "STRING TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +String +T} T{ +string +T} T{ +variable +T} T{ +- +T} +.TE +.PP +The string type is used to for character strings. A string begins with an alphabetic character +(a-zA-Z) followed by zero or more alphanumeric characters or the characters \*(T, +\*(T<\-\*(T>, \*(T<_\*(T> and \*(T<.\*(T>. In addition anything enclosed +in double quotes (\*(T<"\*(T>) is recognized as a string. +.PP +\fBString specification\fR +.PP +.nf +\*(T< +# Interface name +filter input iifname eth0 + +# Weird interface name +filter input iifname "(eth0)" + \*(T> +.fi +.SS "LINK LAYER ADDRESS TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +Link layer address +T} T{ +lladdr +T} T{ +variable +T} T{ +integer +T} +.TE +.PP +The link layer address type is used for link layer addresses. Link layer addresses are specified +as a variable amount of groups of two hexadecimal digits separated using colons (\*(T<:\*(T>). +.PP +\fBLink layer address specification\fR +.PP +.nf +\*(T< +# Ethernet destination MAC address +filter input ether daddr 20:c9:d0:43:12:d9 + \*(T> +.fi +.SS "IPV4 ADDRESS TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +IPv4 address +T} T{ +ipv4_addr +T} T{ +32 bit +T} T{ +integer +T} +.TE +.PP +The IPv4 address type is used for IPv4 addresses. Addresses are specified in either dotted decimal, +dotted hexadecimal, dotted octal, decimal, hexadecimal, octal notation or as a host name. A host name +will be resolved using the standard system resolver. +.PP +\fBIPv4 address specification\fR +.PP +.nf +\*(T< +# dotted decimal notation +filter output ip daddr 127.0.0.1 + +# host name +filter output ip daddr localhost + \*(T> +.fi +.SS "IPV6 ADDRESS TYPE" +.TS +allbox ; +l | l | l | l. +T{ +Name +T} T{ +Keyword +T} T{ +Size +T} T{ +Base type +T} +.T& +l | l | l | l. +T{ +IPv6 address +T} T{ +ipv6_addr +T} T{ +128 bit +T} T{ +integer +T} +.TE +.PP +The IPv6 address type is used for IPv6 addresses. FIXME +.PP +\fBIPv6 address specification\fR +.PP +.nf +\*(T< +# abbreviated loopback address +filter output ip6 daddr ::1 + \*(T> +.fi +.SH "PRIMARY EXPRESSIONS" +The lowest order expression is a primary expression, representing either a constant or a single +datum from a packet's payload, meta data or a stateful module. +.SS "META EXPRESSIONS" +'nh +.fi +.ad l +\fBmeta\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{length | nfproto | l4proto | protocol | priority} +'in \n(.iu-\nxu +.ad b +'hy +'nh +.fi +.ad l +[meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid | ibriport | obriport | pkttype | cpu | iifgroup | oifgroup | cgroup} +.ad b +'hy +.PP +A meta expression refers to meta data associated with a packet. +.PP +There are two types of meta expressions: unqualified and qualified meta expressions. +Qualified meta expressions require the \fBmeta\fR keyword before the +meta key, unqualified meta expressions can be specified by using the meta key directly +or as qualified meta expressions. +.PP +\fBMeta expression types\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +length +T} T{ +Length of the packet in bytes +T} T{ +integer (32 bit) +T} +T{ +protocol +T} T{ +Ethertype protocol value +T} T{ +ether_type +T} +T{ +priority +T} T{ +TC packet priority +T} T{ +integer (32 bit) +T} +T{ +mark +T} T{ +Packet mark +T} T{ +packetmark +T} +T{ +iif +T} T{ +Input interface index +T} T{ +iface_index +T} +T{ +iifname +T} T{ +Input interface name +T} T{ +string +T} +T{ +iiftype +T} T{ +Input interface type +T} T{ +iface_type +T} +T{ +oif +T} T{ +Output interface index +T} T{ +iface_index +T} +T{ +oifname +T} T{ +Output interface name +T} T{ +string +T} +T{ +oiftype +T} T{ +Output interface hardware type +T} T{ +iface_type +T} +T{ +skuid +T} T{ +UID associated with originating socket +T} T{ +uid +T} +T{ +skgid +T} T{ +GID associated with originating socket +T} T{ +gid +T} +T{ +rtclassid +T} T{ +Routing realm +T} T{ +realm +T} +T{ +ibriport +T} T{ +Input bridge interface name +T} T{ +string +T} +T{ +obriport +T} T{ +Output bridge interface name +T} T{ +string +T} +T{ +pkttype +T} T{ +packet type +T} T{ +pkt_type +T} +T{ +cpu +T} T{ +cpu number processing the packet +T} T{ +integer (32 bits) +T} +T{ +iifgroup +T} T{ +incoming device group +T} T{ +devgroup_type +T} +T{ +oifgroup +T} T{ +outgoing device group +T} T{ +devgroup_type +T} +T{ +cgroup +T} T{ +control group id +T} T{ +integer (32 bits) +T} +.TE +.PP +\fBMeta expression specific types\fR +.TS +allbox ; +l | l. +T{ +Type +T} T{ +Description +T} +.T& +l | l. +T{ +iface_index +T} T{ +Interface index (32 bit number). Can be specified numerically +or as name of an existing interface. +T} +T{ +ifname +T} T{ +Interface name (16 byte string). Does not have to exist. +T} +T{ +iface_type +T} T{ +Interface type (16 bit number). +T} +T{ +uid +T} T{ +User ID (32 bit number). Can be specified numerically or as +user name. +T} +T{ +gid +T} T{ +Group ID (32 bit number). Can be specified numerically or as +group name. +T} +T{ +realm +T} T{ +Routing Realm (32 bit number). Can be specified numerically +or as symbolic name defined in /etc/iproute2/rt_realms. +T} +T{ +devgroup_type +T} T{ +Device group (32 bit number). Can be specified numerically +or as symbolic name defined in /etc/iproute2/group. +T} +T{ +pkt_type +T} T{ +Packet type: Unicast (addressed to local host), +Broadcast (to all), Multicast (to group). +T} +.TE +.PP +\fBUsing meta expressions\fR +.PP +.nf +\*(T< +# qualified meta expression +filter output meta oif eth0 + +# unqualified meta expression +filter output oif eth0 + \*(T> +.fi +.SH "PAYLOAD EXPRESSIONS" +Payload expressions refer to data from the packet's payload. +.SS "ETHERNET HEADER EXPRESSION" +'nh +.fi +.ad l +\fBether\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIethernet header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBEthernet header expression types\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l +l | l | l +l | l | l. +T{ +daddr +T} T{ +Destination MAC address +T} T{ +ether_addr +T} +T{ +saddr +T} T{ +Source MAC address +T} T{ +ether_addr +T} +T{ +type +T} T{ +EtherType +T} T{ +ether_type +T} +.TE +.SS "VLAN HEADER EXPRESSION" +'nh +.fi +.ad l +\fBvlan\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIVLAN header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBVLAN header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +id +T} T{ +VLAN ID (VID) +T} T{ +integer (12 bit) +T} +T{ +cfi +T} T{ +Canonical Format Indicator +T} T{ +flag +T} +T{ +pcp +T} T{ +Priority code point +T} T{ +integer (3 bit) +T} +T{ +type +T} T{ +EtherType +T} T{ +ethertype +T} +.TE +.SS "ARP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBarp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIARP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBARP header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +htype +T} T{ +ARP hardware type +T} T{ +integer (16 bit) +T} +T{ +ptype +T} T{ +EtherType +T} T{ +ethertype +T} +T{ +hlen +T} T{ +Hardware address len +T} T{ +integer (8 bit) +T} +T{ +plen +T} T{ +Protocol address len +T} T{ +integer (8 bit) +T} +T{ +operation +T} T{ +Operation +T} T{ +arp_op +T} +.TE +.SS "IPV4 HEADER EXPRESSION" +'nh +.fi +.ad l +\fBip\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIIPv4 header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBIPv4 header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +version +T} T{ +IP header version (4) +T} T{ +integer (4 bit) +T} +T{ +hdrlength +T} T{ +IP header length including options +T} T{ +integer (4 bit) FIXME scaling +T} +T{ +dscp +T} T{ +Differentiated Services Code Point +T} T{ +integer (6 bit) +T} +T{ +ecn +T} T{ +Explicit Congestion Notification +T} T{ +integer (2 bit) +T} +T{ +length +T} T{ +Total packet length +T} T{ +integer (16 bit) +T} +T{ +id +T} T{ +IP ID +T} T{ +integer (16 bit) +T} +T{ +frag-off +T} T{ +Fragment offset +T} T{ +integer (16 bit) +T} +T{ +ttl +T} T{ +Time to live +T} T{ +integer (8 bit) +T} +T{ +protocol +T} T{ +Upper layer protocol +T} T{ +inet_proto +T} +T{ +checksum +T} T{ +IP header checksum +T} T{ +integer (16 bit) +T} +T{ +saddr +T} T{ +Source address +T} T{ +ipv4_addr +T} +T{ +daddr +T} T{ +Destination address +T} T{ +ipv4_addr +T} +.TE +.SS "IPV6 HEADER EXPRESSION" +'nh +.fi +.ad l +\fBip6\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIIPv6 header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBIPv6 header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +version +T} T{ +IP header version (6) +T} T{ +integer (4 bit) +T} +T{ +priority +T} T{ +T} T{ +T} +T{ +dscp +T} T{ +Differentiated Services Code Point +T} T{ +integer (6 bit) +T} +T{ +ecn +T} T{ +Explicit Congestion Notification +T} T{ +integer (2 bit) +T} +T{ +flowlabel +T} T{ +Flow label +T} T{ +integer (20 bit) +T} +T{ +length +T} T{ +Payload length +T} T{ +integer (16 bit) +T} +T{ +nexthdr +T} T{ +Nexthdr protocol +T} T{ +inet_proto +T} +T{ +hoplimit +T} T{ +Hop limit +T} T{ +integer (8 bit) +T} +T{ +saddr +T} T{ +Source address +T} T{ +ipv6_addr +T} +T{ +daddr +T} T{ +Destination address +T} T{ +ipv6_addr +T} +.TE +.SS "TCP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBtcp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fITCP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBTCP header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +sport +T} T{ +Source port +T} T{ +inet_service +T} +T{ +dport +T} T{ +Destination port +T} T{ +inet_service +T} +T{ +sequence +T} T{ +Sequence number +T} T{ +integer (32 bit) +T} +T{ +ackseq +T} T{ +Acknowledgement number +T} T{ +integer (32 bit) +T} +T{ +doff +T} T{ +Data offset +T} T{ +integer (4 bit) FIXME scaling +T} +T{ +reserved +T} T{ +Reserved area +T} T{ +integer (4 bit) +T} +T{ +flags +T} T{ +TCP flags +T} T{ +tcp_flags +T} +T{ +window +T} T{ +Window +T} T{ +integer (16 bit) +T} +T{ +checksum +T} T{ +Checksum +T} T{ +integer (16 bit) +T} +T{ +urgptr +T} T{ +Urgent pointer +T} T{ +integer (16 bit) +T} +.TE +.SS "UDP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBudp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIUDP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBUDP header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +sport +T} T{ +Source port +T} T{ +inet_service +T} +T{ +dport +T} T{ +Destination port +T} T{ +inet_service +T} +T{ +length +T} T{ +Total packet length +T} T{ +integer (16 bit) +T} +T{ +checksum +T} T{ +Checksum +T} T{ +integer (16 bit) +T} +.TE +.SS "UDP-LITE HEADER EXPRESSION" +'nh +.fi +.ad l +\fBudplite\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIUDP-Lite header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBUDP-Lite header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +sport +T} T{ +Source port +T} T{ +inet_service +T} +T{ +dport +T} T{ +Destination port +T} T{ +inet_service +T} +T{ +cscov +T} T{ +Checksum coverage +T} T{ +integer (16 bit) +T} +T{ +checksum +T} T{ +Checksum +T} T{ +integer (16 bit) +T} +.TE +.SS "SCTP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBsctp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fISCTP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBSCTP header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +sport +T} T{ +Source port +T} T{ +inet_service +T} +T{ +dport +T} T{ +Destination port +T} T{ +inet_service +T} +T{ +vtag +T} T{ +Verfication Tag +T} T{ +integer (32 bit) +T} +T{ +checksum +T} T{ +Checksum +T} T{ +integer (32 bit) +T} +.TE +.SS "DCCP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBdccp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIDCCP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBDCCP header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l +l | l | l. +T{ +sport +T} T{ +Source port +T} T{ +inet_service +T} +T{ +dport +T} T{ +Destination port +T} T{ +inet_service +T} +.TE +.SS "AUTHENTICATION HEADER EXPRESSION" +'nh +.fi +.ad l +\fBah\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIAH header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBAH header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +nexthdr +T} T{ +Next header protocol +T} T{ +inet_service +T} +T{ +hdrlength +T} T{ +AH Header length +T} T{ +integer (8 bit) +T} +T{ +reserved +T} T{ +Reserved area +T} T{ +integer (4 bit) +T} +T{ +spi +T} T{ +Security Parameter Index +T} T{ +integer (32 bit) +T} +T{ +sequence +T} T{ +Sequence number +T} T{ +integer (32 bit) +T} +.TE +.SS "ENCRYPTED SECURITY PAYLOAD HEADER EXPRESSION" +'nh +.fi +.ad l +\fBesp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIESP header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBESP header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l +l | l | l. +T{ +spi +T} T{ +Security Parameter Index +T} T{ +integer (32 bit) +T} +T{ +sequence +T} T{ +Sequence number +T} T{ +integer (32 bit) +T} +.TE +.SS "IPCOMP HEADER EXPRESSION" +'nh +.fi +.ad l +\fBcomp\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +[\fIIPComp header field\fR] +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBIPComp header expression\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l +l | l | l +l | l | l. +T{ +nexthdr +T} T{ +Next header protocol +T} T{ +inet_service +T} +T{ +flags +T} T{ +Flags +T} T{ +bitmask +T} +T{ +cpi +T} T{ +Compression Parameter Index +T} T{ +integer (16 bit) +T} +.TE +.SH BLA +.SS "IPV6 EXTENSION HEADER EXPRESSIONS" +IPv6 extension header expressions refer to data from an IPv6 packet's extension headers. +.SS "CONNTRACK EXPRESSIONS" +Conntrack expressions refer to meta data of the connection tracking entry associated with a packet. +.PP +There are three types of conntrack expressions. Some conntrack expressions require the flow +direction before the conntrack key, others must be used directly because they are +direction agnostic. The \fBpackets and bytes\fR keywords can be used +with or without a direction. If the direction is omitted, the sum of the original and the reply +direction is returned. +.PP +'nh +.fi +.ad l +\fBct\fR \kx +.if (\nx>(\n(.l/2)) .nr x (\n(.l/5) +'in \n(.iu+\nxu +{state | direction | status | mark | expiration | helper | label | bytes | packets} {original | reply | {l3proto | protocol | saddr | daddr | proto-src | proto-dst | bytes | packets}} +'in \n(.iu-\nxu +.ad b +'hy +.PP +\fBConntrack expressions\fR +.TS +allbox ; +l | l | l. +T{ +Keyword +T} T{ +Description +T} T{ +Type +T} +.T& +l | l | l. +T{ +state +T} T{ +State of the connection +T} T{ +ct_state +T} +T{ +direction +T} T{ +Direction of the packet relative to the connection +T} T{ +ct_dir +T} +T{ +status +T} T{ +Status of the connection +T} T{ +ct_status +T} +T{ +mark +T} T{ +Connection mark +T} T{ +packetmark +T} +T{ +expiration +T} T{ +Connection expiration time +T} T{ +time +T} +T{ +helper +T} T{ +Helper associated with the connection +T} T{ +string +T} +T{ +label +T} T{ +Connection tracking label +T} T{ +ct_label +T} +T{ +l3proto +T} T{ +Layer 3 protocol of the connection +T} T{ +nf_proto +T} +T{ +saddr +T} T{ +Source address of the connection for the given direction +T} T{ +ipv4_addr/ipv6_addr +T} +T{ +daddr +T} T{ +Destination address of the connection for the given direction +T} T{ +ipv4_addr/ipv6_addr +T} +T{ +protocol +T} T{ +Layer 4 protocol of the connection for the given direction +T} T{ +inet_proto +T} +T{ +proto-src +T} T{ +Layer 4 protocol source for the given direction +T} T{ +integer (16 bit) +T} +T{ +proto-dst +T} T{ +Layer 4 protocol destination for the given direction +T} T{ +integer (16 bit) +T} +T{ +packets +T} T{ +packet count seen in the given direction or sum of original and reply +T} T{ +integer (64 bit) +T} +T{ +bytes +T} T{ +bytecount seen, see description for \fBpackets\fR keyword +T} T{ +integer (64 bit) +T} +.TE +.SH STATEMENTS +Statements represent actions to be performed. They can alter control flow (return, jump +to a different chain, accept or drop the packet) or can perform actions, such as logging, +rejecting a packet, etc. +.PP +Statements exist in two kinds. Terminal statements unconditionally terminate evaluation +of the current rule, non-terminal statements either only conditionally or never terminate +evaluation of the current rule, in other words, they are passive from the ruleset evaluation +perspective. There can be an arbitrary amount of non-terminal statements in a rule, but +only a single terminal statement as the final statement. +.SS "VERDICT STATEMENT" +The verdict statement alters control flow in the ruleset and issues +policy decisions for packets. +.PP +'nh +.fi +.ad l +{accept | drop | queue | continue | return} +.ad b +'hy +'nh +.fi +.ad l +{jump | goto} {\fIchain\fR} +.ad b +'hy +.PP +.TP +\*(T<\fBaccept\fR\*(T> +Terminate ruleset evaluation and accept the packet. +.TP +\*(T<\fBdrop\fR\*(T> +Terminate ruleset evaluation and drop the packet. +.TP +\*(T<\fBqueue\fR\*(T> +Terminate ruleset evaluation and queue the packet to userspace. +.TP +\*(T<\fBcontinue\fR\*(T> +Continue ruleset evaluation with the next rule. FIXME +.TP +\*(T<\fBreturn\fR\*(T> +Return from the current chain and continue evaluation at the +next rule in the last chain. If issued in a base chain, it is +equivalent to \fBaccept\fR. +.TP +\*(T<\fBjump \fR\*(T>\fIchain\fR +Continue evaluation at the first rule in \fIchain\fR. +The current position in the ruleset is pushed to a call stack and evaluation +will continue there when the new chain is entirely evaluated of a +\fBreturn\fR verdict is issued. +.TP +\*(T<\fBgoto \fR\*(T>\fIchain\fR +Similar to \fBjump\fR, but the current position is not pushed +to the call stack, meaning that after the new chain evaluation will continue +at the last chain instead of the one containing the goto statement. +.PP +\fBVerdict statements\fR +.PP +.nf +\*(T< +# process packets from eth0 and the internal network in from_lan +# chain, drop all packets from eth0 with different source addresses. + +filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan +filter input iif eth0 drop + \*(T> +.fi +.SS "LOG STATEMENT" +.SS "REJECT STATEMENT" +.SS "COUNTER STATEMENT" +.SS "META STATEMENT" +.SS "LIMIT STATEMENT" +.SS "NAT STATEMENT" +.SS "QUEUE STATEMENT" +.SH "ADDITIONAL COMMANDS" +These are some additional commands included in nft. +.SS EXPORT +Export your current ruleset in XML or JSON format to stdout. +.PP +Examples: + +.nf +\*(T< +% nft export xml +[...] +% nft export json +[...] + \*(T> +.fi +.SS MONITOR +The monitor command allows you to listen to Netlink events produced +by the nf_tables subsystem, related to creation and deletion of objects. +When they ocurr, nft will print to stdout the monitored events in either +XML, JSON or native nft format. +.PP +To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements'. +.PP +To filter events related to a concrete action, use keyword 'new' or 'destroy'. +.PP +Hit ^C to finish the monitor operation. +.PP +\fBListen to all events, report in native nft format\fR +.PP +.nf +\*(T< +% nft monitor + \*(T> +.fi +.PP +\fBListen to added tables, report in XML format\fR +.PP +.nf +\*(T< +% nft monitor new tables xml + \*(T> +.fi +.PP +\fBListen to deleted rules, report in JSON format\fR +.PP +.nf +\*(T< +% nft monitor destroy rules json + \*(T> +.fi +.PP +\fBListen to both new and destroyed chains, in native nft format\fR +.PP +.nf +\*(T< +% nft monitor chains + \*(T> +.fi +.SH "ERROR REPORTING" +When an error is detected, nft shows the line(s) containing the error, the position +of the erroneous parts in the input stream and marks up the erroneous parts using +carrets (\*(T<^\*(T>). If the error results from the combination of two +expressions or statements, the part imposing the constraints which are violated is +marked using tildes (\*(T<~\*(T>). +.PP +For errors returned by the kernel, nft can't detect which parts of the input caused +the error and the entire command is marked. +.PP +\fBError caused by single incorrect expression\fR +.PP +.nf +\*(T< +:1:19\-22: Error: Interface does not exist +filter output oif eth0 + ^^^^ + \*(T> +.fi +.PP +\fBError caused by invalid combination of two expressions\fR +.PP +.nf +\*(T< +:1:28\-36: Error: Right hand side of relational expression (==) must be constant +filter output tcp dport == tcp dport + ~~ ^^^^^^^^^ + \*(T> +.fi +.PP +\fBError returned by the kernel\fR +.PP +.nf +\*(T< +:0:0\-23: Error: Could not process rule: Operation not permitted +filter output oif wlan0 +^^^^^^^^^^^^^^^^^^^^^^^ + \*(T> +.fi +.SH "EXIT STATUS" +On success, nft exits with a status of 0. Unspecified +errors cause it to exit with a status of 1, memory allocation +errors with a status of 2, unable to open Netlink socket with 3. +.SH "SEE ALSO" +iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8) +.PP +There is an official wiki at: http://wiki.nftables.org +.SH AUTHORS +nftables was written by Patrick McHardy. +.SH COPYRIGHT +Copyright \(co 2008-2014 Patrick McHardy <\*(T> +.PP +nftables is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License version 2 as +published by the Free Software Foundation. +.PP +This documentation is licenced under the terms of the Creative +Commons Attribution-ShareAlike 4.0 license, +.URL http://creativecommons.org/licenses/by-sa/4.0/ "CC BY-SA 4.0" +\&. diff --git a/SOURCES/nftables.conf b/SOURCES/nftables.conf new file mode 100644 index 0000000..ec7b1ef --- /dev/null +++ b/SOURCES/nftables.conf @@ -0,0 +1,14 @@ +# +# This this will contain your nftables rules and +# is read by the systemd service when restarting +# +# These provide an iptables like set of filters +# (uncomment to include) +# include "/etc/nftables/bridge-filter" +# include "/etc/nftables/inet-filter" +# include "/etc/nftables/ipv4-filter" +# include "/etc/nftables/ipv4-mangle" +# include "/etc/nftables/ipv4-nat" +# include "/etc/nftables/ipv6-filter" +# include "/etc/nftables/ipv6-mangle" +# include "/etc/nftables/ipv6-nat" diff --git a/SOURCES/nftables.service b/SOURCES/nftables.service new file mode 100644 index 0000000..1e8c194 --- /dev/null +++ b/SOURCES/nftables.service @@ -0,0 +1,17 @@ +[Unit] +Description=Netfilter Tables +Documentation=man:nft(8) +Wants=network-pre.target +Before=network-pre.target + +[Service] +Type=oneshot +ProtectSystem=full +ProtectHome=true +ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf +ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' +ExecStop=/sbin/nft flush ruleset +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec new file mode 100644 index 0000000..173247a --- /dev/null +++ b/SPECS/nftables.spec @@ -0,0 +1,67 @@ +Name: nftables +Version: 0.6 +Release: 2%{?dist} +Summary: Netfilter Tables userspace utillites +License: GPLv2 +URL: http://netfilter.org/projects/nftables/ +Source0: http://ftp.netfilter.org/pub/nftables/nftables-%{version}.tar.bz2 +Source1: nftables.service +Source2: nftables.conf +Source3: nft.8 +BuildRequires: flex +BuildRequires: bison +BuildRequires: libmnl-devel +BuildRequires: gmp-devel +BuildRequires: readline-devel +BuildRequires: libnftnl-devel +# docbook2X is available in EPEL repo only, which is not included in Brew +#BuildRequires: docbook2X +#BuildRequires: docbook-dtds +BuildRequires: systemd + +%description +Netfilter Tables userspace utilities. + +%prep +%setup -q + +%build +%configure --disable-silent-rules +make %{?_smp_mflags} + +%install +%make_install +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' +mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8 +cp -a %{SOURCE3} $RPM_BUILD_ROOT/%{_mandir}/man8/ +chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft* + +mkdir -p $RPM_BUILD_ROOT/%{_unitdir} +cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/ + +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig +cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ + +%post +%systemd_post nftables.service + +%preun +%systemd_preun nftables.service + +%postun +%systemd_postun_with_restart nftables.service + +%files +%doc COPYING TODO +%config(noreplace) %{_sysconfdir}/nftables/ +%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf +%{_sbindir}/nft +%{_mandir}/man8/nft* +%{_unitdir}/nftables.service + +%changelog +* Tue Jul 19 2016 Phil Sutter 0.6-2 +- Add pre-generated nft.8 to overcome missing docbook2X package. + +* Wed Jun 29 2016 Phil Sutter 0.6-1 +- Rebased from Fedora Rawhide and adjusted for RHEL review.