There are three main components:
- the kernel implementation
- libnl netlink communication
- nftables userspace frontend
At this point a few example might be in order ...
- a single rule, specified incrementally on the command line:
# nft add rule output tcp dport 22 log accept
The default address family is IPv4, the default table is filter. The
full specification would look like this:
# nft add rule inet filter output tcp dport 22 log accept
- a chain containing multiple rules:
#! nft -f
include "ipv4-filter"
chain filter output {
ct state established,related accept
tcp dport 22 accept
counter drop
}
creates the filter table based on the definitions from "ipv4-filter"
and populates the output chain with the given three rules.
OK, back to the internals. After the input has been parsed, it is
evaluated. This stage performs some basic transformations, like
constant folding and propagation, as well as most semantic checks.
During this step, a protocol context is built based on the current
address family and the specified matches, which describes the protocols
of packets that might hit later operations in the same rule. This
allows two things:
- conflict detection:
... ip protocol tcp udp dport 53
results in:
:1:37-45: Error: conflicting protocols specified: tcp vs. udp 
add filter output ip protocol tcp udp dport 53
^^^^^^^^^
Fonte completa: http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/28922
Happy Hacking!
Rodrigo Montoro(Sp0oKeR)
 
2 comentários:
Portaram o PF para o Linux !!
;-)
Opa!
Estou estudando para fazer meu TCC encima desse tema, um comparativo entre iptables e o nftables, se você anda lendo mais sobre isso ou tem interesse em conhecer melhor a ferramenta, deixo meus contatos para trocarmos uma ideia.
Um abraço.
MSN = manoserpa@hotmail.com
E-mail/Gtalk = manoserpa@gmail.com
Postar um comentário