From 86b89aa695d84d2c28731ac92f5c0b592b11cdb8 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Sun, 11 Mar 2018 17:47:05 +0100 Subject: doc: add set information and example for run-time blackhole Signed-off-by: Florian Westphal --- doc/nft.xml | 81 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 79 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/nft.xml b/doc/nft.xml index f7cf0777..d3765fac 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -912,6 +912,31 @@ table inet filter { Sets + + nftables offers two kinds of set concepts. + Anonymous sets are sets that have no specific name. The set members are enclosed in curly braces, + with commas to separate elements when creating the rule the set is used in. + Once that rule is removed, the set is removed as well. + They cannot be updated, i.e. once an anoymous set is declared it cannot be changed anymore except by + removing/altering the rule that uses the anonymous set. + + Using anyonymous sets to accept particular subnets and ports + + nft add rule filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport { 22, 443 } accept + + + Named sets are sets that need to be defined first before they can be referenced + in rules. Unlike anonymous sets, elements can be added to or removed from a named set at any time. + Sets are referenced from rules using an @ prefixed to the sets name. + + Using named sets to accept addressesand ports + + nft add rule filter input ip saddr @allowed_hosts tcp dport @allowed_ports accept + + The sets allowed_hosts and allowed_portsneed to + be created first. The next section describes nft set syntax in more detail. + + add @@ -1044,7 +1069,7 @@ table inet filter { timeout - time an element stays in the set + time an element stays in the set, mandatory if set is added to from the packet path (ruleset). string, decimal followed by unit. Units are: d, h, m, s @@ -1059,7 +1084,7 @@ table inet filter { size - maximun number of elements in the set + maximun number of elements in the set, mandatory if set is added to from the packet path (ruleset). unsigned integer (64 bit) @@ -5338,6 +5363,58 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" } + + Set statement + + The set statement is used to dynamically add or update elements in a set from the packet path. + The set setname must already exist in the given table. + Furhermore, any set that will be dynamically updated from the nftables ruleset must specify + both a maximum set size (to prevent memory exhaustion) and a timeout (so that number of entries in + set will not grow indefinitely). + The set statement can be used to e.g. create dynamic blacklists. + + + + set + + add + update + + expression + timeout timeout + commentstring + @setname + + + + + Example for simple blacklist + + # declare a set, bound to table "filter", in family "ip". Timeout and size are mandatory because we will add elements from packet path. + nft add set ip filter blackhole "{ type ipv4_addr; flags timeout; size 65536; }" + + # whitelist internal interface. + nft add rule ip filter input meta iifname "internal" accept + + # drop packets coming from blacklisted ip addresses. + nft add rule ip filter input ip saddr @blackhole counter drop + + # add source ip addresses to the backlist if more than 10 tcp connection requests occured per second and ip address. + # entries will timeout after one minute, after which they might be re-added if limit condition persists. + nft add rule ip filter input tcp flags syn tcp dport ssh flow table flood { ip saddr timeout 10s limit rate over 10/second} set add ip saddr timeout 1m @blackhole drop + + # inspect state of the rate limit meter: + nft list meter ip filter flood + + # inspect content of blackhole: + nft list set ip filter blackhole + + # manually add two addresses to the set: + nft add element filter blackhole { 10.2.3.4, 10.23.1.42 } + + + + -- cgit v1.2.3