Just done some test, seem that nft syntax is not stable yet,
some minors syntax changes occurs between differents release from last 6months.
another interesting feature since nftables 0.2, is to be able to manage ipv4
and ipv6
in the same filter table
"
nft -f /etc/nftables/inet-filter
Rules in the inet family can apply to either just IPv4, just IPv6 or
both types of packets:
nft inet filter input ip saddr 192.168.0.0/24 jump from_lan
nft inet filter input ip6 saddr 2001::/64 jump from_lan
nft inet filter input tcp dport ssh accept
nft inet filter input iif lo accept
"
----- Mail original -----
De: "Alexandre DERUMIER" <aderum...@odiso.com>
À: "Dietmar Maurer" <diet...@proxmox.com>
Cc: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Dimanche 6 Juillet 2014 15:16:43
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
I just try to build libnftnl-dev and nftables from jessie, and it's seem to
works fin:
load rules (aka iptables-restore)
#nft -f /etc/nftables/ipv4-filter
save rules (aka iptables-save)
# nft list table filter
table ip filter {
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
----- Mail original -----
De: "Alexandre DERUMIER" <aderum...@odiso.com>
À: "Dietmar Maurer" <diet...@proxmox.com>
Cc: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Dimanche 6 Juillet 2014 14:13:43
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
also, I think the most interesting feature of nftables is vmap:
http://people.netfilter.org/wiki-nftables/index.php/Dictionaries
So, it's seem possible to jump directly to the vm tapchain, so a big
performance improvement in our case!
something like (not sure about the syntax):
table ip filter {
chain forward {
meta oifname vmap { tap100i0 : jump tap100i0-chain, tap200i0 : jump
tap200i0-chain, tap300i0 : jump tap300i0-chain}
}
chain tap100i0-chain {
}
chain tap200i0-chain {
}
chain tap300i0-chain {
}
}
also ipset seem to be native:
nft add set global myipset { type ipv4_address\;}
nft add element global myipset { 192.168.3.4 }
nft add element global myipset { 192.168.1.4, 192.168.1.5 }
I think we could try to manage a
$ruleset->{nftables}
in parralel of current iptables,ip6tables,ebtables
a do the switch (next year?) when we'll be sure that stability/features of
nftables will be ok.
(I think redhat will remove the tech preview for rhel 7.1 or 7.2)
----- Mail original -----
De: "Alexandre DERUMIER" <aderum...@odiso.com>
À: "Dietmar Maurer" <diet...@proxmox.com>
Cc: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Dimanche 6 Juillet 2014 12:07:21
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>>Looks good, but I think we should evaluate nftables now (instead of using all
>>those different binaries).
>>I have no idea if it is already usable?
available since rhel7 rc2, but it's a techpreview
nftables has just been tagged to v0.3
http://git.netfilter.org/nftables/log/
and the only doc I found is
https://home.regit.org/netfilter-en/nftables-quick-howto/
----- Mail original -----
De: "Dietmar Maurer" <diet...@proxmox.com>
À: "Alexandre DERUMIER" <aderum...@odiso.com>
Cc: "pve-devel" <pve-devel@pve.proxmox.com>, "Stefan Priebe - Profihost AG"
<s.pri...@profihost.ag>
Envoyé: Dimanche 6 Juillet 2014 05:32:01
Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ?
> BTW, I'll also rework my ipv6 patch.
>
> I thinked about extend $ruleset, to something like
>
> $ruleset->{iptables}->{filter}
> $ruleset->{iptables}->{nat}
> $ruleset->{ip6tables}->{filter}
> $ruleset->{ebtables}->{filter}
>
> Like this, we can manage multi commands and filters.
>
> What do you think about it ?
Looks good, but I think we should evaluate nftables now (instead of using all
those different binaries).
I have no idea if it is already usable?
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
