From patchwork Sun Mar 11 16:47:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 884266 X-Patchwork-Delegate: fw@strlen.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=strlen.de Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zzn8c6JTbz9sQv for ; Mon, 12 Mar 2018 03:47:12 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932214AbeCKQrM (ORCPT ); Sun, 11 Mar 2018 12:47:12 -0400 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:59906 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932168AbeCKQrL (ORCPT ); Sun, 11 Mar 2018 12:47:11 -0400 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.84_2) (envelope-from ) id 1ev47p-0004i2-NP; Sun, 11 Mar 2018 17:47:09 +0100 From: Florian Westphal To: netfilter-devel@vger.kernel.org Cc: Florian Westphal Subject: [PATCH 1/1] doc: add set information and example for run-time blackhole Date: Sun, 11 Mar 2018 17:47:05 +0100 Message-Id: <20180311164705.5123-1-fw@strlen.de> X-Mailer: git-send-email 2.14.3 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-off-by: Florian Westphal --- doc/nft.xml | 81 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 79 insertions(+), 2 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index f7cf077..d3765fa 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -912,6 +912,31 @@ table inet filter { Sets + + nftables offers two kinds of set concepts. + Anonymous sets are sets that have no specific name. The set members are enclosed in curly braces, + with commas to separate elements when creating the rule the set is used in. + Once that rule is removed, the set is removed as well. + They cannot be updated, i.e. once an anoymous set is declared it cannot be changed anymore except by + removing/altering the rule that uses the anonymous set. + + Using anyonymous sets to accept particular subnets and ports + + nft add rule filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport { 22, 443 } accept + + + Named sets are sets that need to be defined first before they can be referenced + in rules. Unlike anonymous sets, elements can be added to or removed from a named set at any time. + Sets are referenced from rules using an @ prefixed to the sets name. + + Using named sets to accept addressesand ports + + nft add rule filter input ip saddr @allowed_hosts tcp dport @allowed_ports accept + + The sets allowed_hosts and allowed_portsneed to + be created first. The next section describes nft set syntax in more detail. + + add @@ -1044,7 +1069,7 @@ table inet filter { timeout - time an element stays in the set + time an element stays in the set, mandatory if set is added to from the packet path (ruleset). string, decimal followed by unit. Units are: d, h, m, s @@ -1059,7 +1084,7 @@ table inet filter { size - maximun number of elements in the set + maximun number of elements in the set, mandatory if set is added to from the packet path (ruleset). unsigned integer (64 bit) @@ -5338,6 +5363,58 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" } + + Set statement + + The set statement is used to dynamically add or update elements in a set from the packet path. + The set setname must already exist in the given table. + Furhermore, any set that will be dynamically updated from the nftables ruleset must specify + both a maximum set size (to prevent memory exhaustion) and a timeout (so that number of entries in + set will not grow indefinitely). + The set statement can be used to e.g. create dynamic blacklists. + + + + set + + add + update + + expression + timeout timeout + commentstring + @setname + + + + + Example for simple blacklist + + # declare a set, bound to table "filter", in family "ip". Timeout and size are mandatory because we will add elements from packet path. + nft add set ip filter blackhole "{ type ipv4_addr; flags timeout; size 65536; }" + + # whitelist internal interface. + nft add rule ip filter input meta iifname "internal" accept + + # drop packets coming from blacklisted ip addresses. + nft add rule ip filter input ip saddr @blackhole counter drop + + # add source ip addresses to the backlist if more than 10 tcp connection requests occured per second and ip address. + # entries will timeout after one minute, after which they might be re-added if limit condition persists. + nft add rule ip filter input tcp flags syn tcp dport ssh flow table flood { ip saddr timeout 10s limit rate over 10/second} set add ip saddr timeout 1m @blackhole drop + + # inspect state of the rate limit meter: + nft list meter ip filter flood + + # inspect content of blackhole: + nft list set ip filter blackhole + + # manually add two addresses to the set: + nft add element filter blackhole { 10.2.3.4, 10.23.1.42 } + + + +