コンテンツにスキップ

Nftables

Ubuntu 18.04 install

$ sudo -i
# apt update
# apt install -y nftables iptables-nftables-compat
# apt purge -y iptables
# nft -v
nftables v0.8.2 (Joe Btfsplk)
# reboot

Usage sample

テーブル確認

# nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}
# nft list table inet filter
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}
# nft list chain inet filter input
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }
}

ブロックの例

# nft add rule inet filter output tcp dport 443 counter drop
# curl -v https://www.juniper.net/
*   Trying 2001:f61:11:296::720...
* TCP_NODELAY set
*   Trying 23.37.149.150...
* TCP_NODELAY set
^C
# nft list chain inet filter output
table inet filter {
        chain output {
                type filter hook output priority 0; policy accept;
                tcp dport https counter packets 6 bytes 420 drop
        }
}

iptablesからの移行

iptables-nftables-compatを使えば、iptablesでのコマンドをnftables用に変換できる。

# iptables-translate -F INPUT
nft flush chain ip filter INPUT
(*) nft flush chain inet filter input
# iptables-translate -L INPUT
nft list table ip filter
(*) nft list table inet filter
# iptables-translate -A INPUT -p tcp --sport 50001 --dport 60001 -j DROP
nft add rule ip filter INPUT tcp sport 50001 tcp dport 60001 counter drop
(*) nft add rule inet filter input tcp sport 50001 tcp dport 60001 counter drop
# iptables-translate -I INPUT 1 -p tcp --sport 50001 --dport 60001 -j DROP
nft insert rule ip filter INPUT tcp sport 50001 tcp dport 60001 counter drop
(*) nft insert rule inet filter input tcp sport 50001 tcp dport 60001 counter drop

でも inetip になっていたり、若干間違っていて (*) でマークしてある方が正しいはず。


最終更新日: 2021-05-17 02:51:56