Wednesday, October 23, 2013

Say "hello nftables" on Debian 7 GNU/Linux

Nftables is the 4th generation packet filter engine for linux kernel and it will be merged into kernel 3.13. I haven't play with netfilter for a while. When I saw Nftables a couple of days ago, I think there's something( iteches?) I need to scratch;-) Let's try to say "Hi" to nftables.

OS: Debian 7 GNU/Linux. Grab the small version of iso here.

After the installation. Some packages are needed to be install also:
#apt-get install git vim libgmp-dev libreadline-dev libtool autoconf gcc make pkg-config libjansson-dev libmxml-dev flex bison libncurses5-dev kernel-package

Firstly, you need to compile two libraries: libmnl and libnftables
git clone git://git.netfilter.org/libmnl
cd libmnl/
./autogen.sh
./configure
make
sudo make install
sudo ldconfig

git://git.netfilter.org/libnftables
cd libnftables/
./autogen.sh
./configure --with-json-parsing --with-xml-parsing
make
sudo make install
sudo ldconfig

Then, compile/install the userspace tool( nft):

git clone git://git.netfilter.org/nftables
cd nftables
./autogen.sh
ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes  ./configure
make
sudo make install
sudo ldconfig

Well, because linux-3.13 is not release yet. So we need to grab the source code from nftables dev tree:

git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git linux
cp /boot/config-3.2.0-4-686-pae .config
make menuconfig( select these NF_TABLES options)
make -j 3 deb-pkg
cd ../
sudo dpkg -i *.deb

Reboot your machine. Let's try some policies. Thanks to the author whoever wrote this HOWTO. Nftables policy is seem easy to write. But I'm still not get used to the new style since I even don't know how to delete a table. It always saying the device is BUSY or something like that. WTH~ I checked the commits, it should be a feature though. I think the policy converter tool between iptables and nftables, that is necessary. Otherwise, it'd be barries to those old school iptables users/admin/developers.

3 comments:

Anonymous said...

Cara preciva de uma ajuda. Fiz tudo como você postou, mas na hora de ir no menu do kernel para escolher o NF_TABLES, estão não aparece.

teknoraver said...

I get this error:

nft list table filter
:1:1-17: Error: Could not receive sets from kernel: Address family not supported by protocol
list table filter
^^^^^^^^^^^^^^^^^

is this related to netlink?

Shawn C said...

teknoraver:

I'm not sure if this is netlink related issue. Sorry I can't help