domingo, 22 de março de 2009

nftables - sucessor iptables ?

Li sobre um novo projeto dos desenvolvedores do netfilter que me parece MUITO interessante. O projeto é chamada de nftables (versão alpha ainda) e segunda o release acredito que num futuro venha a "substituir" o bom e velho iptables =). Abaixo algumas partes do release :

There are three main components:

- the kernel implementation
- libnl netlink communication
- nftables userspace frontend

At this point a few example might be in order ...

- a single rule, specified incrementally on the command line:

# nft add rule output tcp dport 22 log accept

The default address family is IPv4, the default table is filter. The
full specification would look like this:

# nft add rule inet filter output tcp dport 22 log accept

- a chain containing multiple rules:

#! nft -f

include "ipv4-filter"

chain filter output {
ct state established,related accept
tcp dport 22 accept
counter drop
}

creates the filter table based on the definitions from "ipv4-filter"
and populates the output chain with the given three rules.

OK, back to the internals. After the input has been parsed, it is
evaluated. This stage performs some basic transformations, like
constant folding and propagation, as well as most semantic checks.

During this step, a protocol context is built based on the current
address family and the specified matches, which describes the protocols
of packets that might hit later operations in the same rule. This
allows two things:

- conflict detection:

... ip protocol tcp udp dport 53

results in:

:1:37-45: Error: conflicting protocols specified: tcp vs. udp
add filter output ip protocol tcp udp dport 53
^^^^^^^^^

Fonte completa: http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/28922


Happy Hacking!

Rodrigo Montoro(Sp0oKeR)

2 comentários:

Humberto Sartini disse...

Portaram o PF para o Linux !!
;-)

José Eleomar Serpa disse...

Opa!

Estou estudando para fazer meu TCC encima desse tema, um comparativo entre iptables e o nftables, se você anda lendo mais sobre isso ou tem interesse em conhecer melhor a ferramenta, deixo meus contatos para trocarmos uma ideia.

Um abraço.

MSN = manoserpa@hotmail.com
E-mail/Gtalk = manoserpa@gmail.com