summaryrefslogtreecommitdiffstats
path: root/doc/stateful-objects.txt
blob: 5824d53ad88f3636febb50e3cb3bdaa2f01bae97 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
CT HELPER
~~~~~~~~~
[verse]
*add* *ct helper* ['family'] 'table' 'name' *{ type* 'type' *protocol* 'protocol' *;* [*l3proto* 'family' *;*] *}*
*delete* *ct helper* ['family'] 'table' 'name'
*list* *ct helpers*

Ct helper is used to define connection tracking helpers that can then be used in
combination with the *ct helper set* statement. 'type' and 'protocol' are
mandatory, l3proto is derived from the table family by default, i.e. in the inet
table the kernel will try to load both the ipv4 and ipv6 helper backends, if
they are supported by the kernel.

.conntrack helper specifications
[options="header"]
|=================
|Keyword | Description | Type
| type |
name of helper type |
quoted string (e.g. "ftp")
|protocol |
layer 4 protocol of the helper |
string (e.g. ip)
|l3proto |
layer 3 protocol of the helper |
address family (e.g. ip)
|comment |
per ct helper comment field |
string
|=================

.defining and assigning ftp helper
----------------------------------
Unlike iptables, helper assignment needs to be performed after the conntrack
lookup has completed, for example with the default 0 hook priority.

table inet myhelpers {
  ct helper ftp-standard {
     type "ftp" protocol tcp
  }
  chain prerouting {
      type filter hook prerouting priority filter;
      tcp dport 21 ct helper set "ftp-standard"
  }
}
----------------------------------

CT TIMEOUT
~~~~~~~~~~
[verse]
*add* *ct timeout*  ['family'] 'table' 'name' *{ protocol* 'protocol' *; policy = {* 'state'*:* 'value' [*,* ...] *} ;* [*l3proto* 'family' *;*] *}*
*delete* *ct timeout* ['family'] 'table' 'name'
*list* *ct timeouts*

Ct timeout is used to update connection tracking timeout values.Timeout policies are assigned
with the *ct timeout set* statement. 'protocol' and 'policy' are
  mandatory, l3proto is derived from the table family by default.

.conntrack timeout specifications
[options="header"]
|=================
|Keyword | Description | Type
| protocol |
layer 4 protocol of the timeout object |
string (e.g. ip)
|state |
connection state name |
string (e.g. "established")
|value |
timeout value for connection state |
unsigned integer
|l3proto |
layer 3 protocol of the timeout object |
address family (e.g. ip)
|comment |
per ct timeout comment field |
string
|=================

tcp connection state names that can have a specific timeout value are:

'close', 'close_wait', 'established', 'fin_wait', 'last_ack', 'retrans', 'syn_recv', 'syn_sent', 'time_wait' and 'unack'.

You can use 'sysctl -a |grep net.netfilter.nf_conntrack_tcp_timeout_' to view and change the system-wide defaults.
'ct timeout' allows for flow-specific settings, without changing the global timeouts.

For example, tcp port 53 could have much lower settings than other traffic.

udp state names that can have a specific timeout value are 'replied' and 'unreplied'.

.defining and assigning ct timeout policy
----------------------------------
table ip filter {
	ct timeout customtimeout {
		protocol tcp;
		l3proto ip
		policy = { established: 2m, close: 20s }
	}

	chain output {
		type filter hook output priority filter; policy accept;
		ct timeout set "customtimeout"
	}
}
----------------------------------

.testing the updated timeout policy
----------------------------------

% conntrack -E

It should display:

[UPDATE] tcp      6 120 ESTABLISHED src=172.16.19.128 dst=172.16.19.1
sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128
sport=41360 dport=22
----------------------------------

CT EXPECTATION
~~~~~~~~~~~~~~
[verse]
*add* *ct expectation*  ['family'] 'table' 'name' *{ protocol* 'protocol' *; dport* 'dport' *; timeout* 'timeout' *; size* 'size' *;* [*l3proto* 'family' *;*] *}*
*delete* *ct expectation*  ['family'] 'table' 'name'
*list* *ct expectations*

Ct expectation is used to create connection expectations. Expectations are
assigned with the *ct expectation set* statement. 'protocol', 'dport',
'timeout' and 'size' are mandatory, l3proto is derived from the table family
by default.

.conntrack expectation specifications
[options="header"]
|=================
|Keyword | Description | Type
|protocol |
layer 4 protocol of the expectation object |
string (e.g. ip)
|dport |
destination port of expected connection |
unsigned integer
|timeout |
timeout value for expectation |
unsigned integer
|size |
size value for expectation |
unsigned integer
|l3proto |
layer 3 protocol of the expectation object |
address family (e.g. ip)
|comment |
per ct expectation comment field |
string
|=================

.defining and assigning ct expectation policy
---------------------------------------------
table ip filter {
	ct expectation expect {
		protocol udp
		dport 9876
		timeout 2m
		size 8
		l3proto ip
	}

	chain input {
		type filter hook input priority filter; policy accept;
		ct expectation set "expect"
	}
}
----------------------------------

COUNTER
~~~~~~~
[verse]
*add* *counter* ['family'] 'table' 'name' [*{* [ *packets* 'packets' *bytes* 'bytes' ';' ] [ *comment* 'comment' ';' *}*]
*delete* *counter* ['family'] 'table' 'name'
*list* *counters*

.Counter specifications
[options="header"]
|=================
|Keyword | Description | Type
|packets |
initial count of packets |
unsigned integer (64 bit)
|bytes |
initial count of bytes |
unsigned integer (64 bit)
|comment |
per counter comment field |
string
|=================

.*Using named counters*
------------------
nft add counter filter http
nft add rule filter input tcp dport 80 counter name \"http\"
------------------

.*Using named counters with maps*
------------------
nft add counter filter http
nft add counter filter https
nft add rule filter input counter name tcp dport map { 80 : \"http\", 443 : \"https\" }
------------------

QUOTA
~~~~~
[verse]
*add* *quota* ['family'] 'table' 'name' *{* [*over*|*until*] 'bytes' 'BYTE_UNIT' [ *used* 'bytes' 'BYTE_UNIT' ] ';' [ *comment* 'comment' ';' ] *}*
BYTE_UNIT := bytes | kbytes | mbytes
*delete* *quota* ['family'] 'table' 'name'
*list* *quotas*

.Quota specifications
[options="header"]
|=================
|Keyword | Description | Type
|quota |
quota limit, used as the quota name |
Two arguments, unsigned integer (64 bit) and string: bytes, kbytes, mbytes.
"over" and "until" go before these arguments
|used |
initial value of used quota |
Two arguments, unsigned integer (64 bit) and string: bytes, kbytes, mbytes
|comment |
per quota comment field |
string
|=================

.*Using named quotas*
------------------
nft add quota filter user123 { over 20 mbytes }
nft add rule filter input ip saddr 192.168.10.123 quota name \"user123\"
------------------

.*Using named quotas with maps*
------------------
nft add quota filter user123 { over 20 mbytes }
nft add quota filter user124 { over 20 mbytes }
nft add rule filter input quota name ip saddr map { 192.168.10.123 : \"user123\", 192.168.10.124 : \"user124\" }
------------------