Nftables: a new packet filtering engine
| LWN.net needs you! Without subscribers, LWN would simply not exist. Please consider signing up for a subscription and helping to keep LWN publishing |
Packet filtering and firewalling has a long history in Linux. The first filtering mechanism, called "ipfwadm," was released in 1995 for the 1.2.1 kernel. This code was used until the 2.2.0 stable release (January, 1999), when the new "ipchains" module took over. While ipchains was useful, it only lasted until 2.4.0 (January, 2001), when it, too, was replaced by iptables/netfilter, which remains in the kernel now. If netfilter maintainer Patrick McHardy has his way, though, iptables, too, will be gone in the future, replaced by yet another mechanism called "nftables." This article will give an overview of how nftables works, followed by a discussion of the motivations behind this change.
The first public nftables release came out on March 18. This code has been in the works for a while, though, and the ideas were discussed at the 2008 Netfilter Workshop. So nftables is not quite as new as it might seem.
The current iptables code has a lot of protocol awareness built into it. There is, for example, a module dedicated to extracting port numbers from UDP packets which is different from the module concerned with TCP packets. The nftables implementation is entirely different; there is no protocol knowledge built into it at all. Instead, nftables is implemented as a simple virtual machine which interprets code loaded from user space. So nftables has no operation which says anything like "compare the IP destination address to 196.168.0.1"; instead, it would execute code which looks like:
payload load 4 offset network header + 16 => reg 1
compare reg 1 192.168.0.1
(Patrick presents the code in mnemonic form, and your editor will do the same; the actual code loaded into the kernel uses opcodes instead). The first line loads four bytes from the packet, located 16 bytes past the beginning of the network reader, into register 1. The second line then compares that register against the given network address.
The language can do a lot more than just comparing addresses, of course. There is, for example, a set lookup feature. Consider the following:
payload load 4 offset network header + 16 => reg 1
set lookup reg 1 load result in verdict register
{ "192.168.0.1" : jump chain1,
"192.168.0.2" : drop,
"192.168.0.3" : jump chain2 }
This code will cause packets aimed at 192.168.0.2 to be dropped; for the other two listed addresses, control will be sent to specific rule chains. This set feature allows for multi-branch rules in a way which cannot be done with the current iptables implementation (though the ipset mechanism helps in that regard). The above code also introduces the "verdict register," which records an action to be performed on a packet. In nftables, more than one verdict can be rendered on a packet; it is possible to add a packet to a specific counter, log it, and drop it all in a single chain without the need (as seen in iptables) to repeat tests.
There are a number of other capabilities built into the nftables virtual machine. There's a set of operations for communicating with the connection-tracking mechanism, allowing connection information to be used in deciding the fate of specific packets. Other operators deal with various bits of packet metadata known to the networking subsystem; these include the length, the protocol type, security mark information, and more. Operators exist for logging packets and incrementing counters. There's also a full set of comparison operations, of course.
Network administrators are unlikely to be impressed by the idea of programming a low-level virtual machine for their future firewalling needs. The good news is that there will be no need for them to do so. Instead, they'll write higher-level rules which will then be compiled into virtual machine code before being loaded into the kernel. The nftables utility does this work, implementing a human-readable language encapsulating most of the needed information about how packets are put together. So, if we look back to the first test described above:
payload load 4 offset network header + 16 => reg 1
compare reg 1 192.168.0.1
The administrator would simply write "ip daddr 192.168.0.1" and let nftables turn that into the above code. A full (if simple) rule looks something like this:
rule add ip filter output ip daddr 192.168.0.1 counter
This rule will count packets sent to 192.168.0.1.
The new nftables API is based on netlink, naturally. Unlike the current iptables API, it has the ability to modify individual rules without the need to reload the entire configuration. There is also a decompilation facility built into nftables that allows the recreation of human-readable rules from the current in-kernel configuration.
[PULL QUOTE: This could be a disruptive and expensive transition; the kernel development community will want to see some very good reasons for inflicting this pain on its users. END QUOTE] All told, it looks like a nicely-designed packet filtering mechanism, but the merging of nftables is likely to be controversial. The iptables mechanism works well, and is widely used; replacing it with code which breaks the user-space API and breaks all existing iptables configurations is guaranteed to raise some eyebrows. This could be a disruptive and expensive transition, even if, as seems necessary, the developers commit to maintaining both iptables and nftables in the mainline for an extended period of time. The kernel development community will want to see some very good reasons for inflicting this pain on its users.
There are some good reasons, but one should start by noting that it should be possible to create a tool which reads current iptables configurations and converts them to the nftables language - or even directly to kernel virtual machine code. Patrick seems to expect to create such a tool One Of These Days, but it does not exist at this time.
Some of the reasons for replacing iptables have already been hinted at above. The protocol knowledge built into the iptables code has turned out to be a problem over time; there is a lot of duplicated code doing the same thing (extracting port numbers, say) for different protocols. Even worse, the capabilities and syntax tend to vary from one protocol to the next. By moving all of that knowledge out to user space, nftables greatly simplifies the in-kernel code and allows for much more consistent treatment of all protocols.
There are a lot of optimization possibilities built into the new system. Some expensive operations (incrementing counters, for example) can be skipped unless the user really needs them. Features like set lookups and range mapping can collapse a whole set of iptables rules into a single nftables operation. Since filtering rules are now compiled, there is also potential for the compiler to optimize the rules further. Traditional firewall configurations tend to perform the same tests repeatedly; a smart nftables compiler could eliminate much of that duplicated work. Unsurprisingly, this optimization remains on the "to do" list for now, but the fact that all of this work is done in user space will make it easy to add such features in the future.
The nftables tool will also be able to perform a higher level of validation on the rules it is given, and it will be able to provide more useful diagnostics than can be had from the iptables code.
But, arguably, the most important motivation is the ability to dump the current ABI. The iptables ABI has become an increasing impediment to development over time. It includes protocol-specific fields which has made it hard to extend; that is part of why there are actually three copies of the iptables code in the kernel. When developers wanted to implement arptables and ebtables, they essentially had to copy the code and bang it into a new, protocol-specific shape. Patrick estimates that, even after four years of unification work, the kernel contains some 10,000 lines of duplicated filtering code. Beyond that, the structures used in the ABI are also used directly in the kernel's internal representation, making that implementation even harder to change. Separating the two would be possible through the addition of a translation layer, but the details involved (including the need to translate in both directions) increase the risk of adding subtle problems. In summary, the iptables ABI has become a serious impediment to further progress in packet filtering.
Nftables is a chance to dump all of that code and replace it with a much smaller filtering core which should prove to be quite a bit more flexible. With any luck, nftables should last a long time; the virtual machine can be extended in unexpected ways without the need to break the user-space ABI (again). It's smaller size should make it well suited to small router deployments, while its lockless design should appeal to administrators of high-end systems. All told, chances are good that the larger community will eventually see this change as being worthwhile. But not for a while: there are some unfinished pieces in nftables, and the larger discussion has not yet begun.
(For more information, see this weblog
posting from August, 2008 and the slides
from Patrick's presentation [ODF] at the Netfilter Workshop).
| Index entries for this article | |
|---|---|
| Kernel | Networking/Packet filtering |
| Kernel | Nftables |
(Log in to post comments)
Nftables: a new packet filtering engine
Posted Mar 24, 2009 17:25 UTC (Tue) by JoeBuck (subscriber, #2330) [Link]
If there were a translator that could take iptables rules and produce nftables rules, either the high-level form or the virtual machine form, then it seems that this change would be a no-brainer: iptables firewalls keep working and the kernel has a smaller, more flexible and powerful implementation. But without such a translator, users lose big-time.So a translator should be a prerequisite for accepting nftables, because it allows iptables to go away.
Nftables: a new packet filtering engine
Posted Mar 24, 2009 17:44 UTC (Tue) by yokem_55 (subscriber, #10498) [Link]
Nftables: a new packet filtering engine
Posted Mar 24, 2009 17:58 UTC (Tue) by martinfick (subscriber, #4455) [Link]
Nftables: a new packet filtering engine
Posted Mar 24, 2009 18:21 UTC (Tue) by kaber (guest, #18366) [Link]
That said, iptables is certainly going to stay for quite a while. The rough plan so far is to add a converter/parser for the old syntax, shake out the bugs, and at some point transparently enable it in userspace once it has proven itself. A couple of years sounds realistic to me. But since this hasn't been discussed yet, things might also turn out differently.
Nftables: a new packet filtering engine
Posted Mar 24, 2009 22:17 UTC (Tue) by man_ls (guest, #15091) [Link]
I like this. So, if I understood well, an iptables-like command (with syntax identical to the old-style command) will transparently generate new-style rules and load them? That would be a very good proof of the versatility of the new engine.
Nftables: a new packet filtering engine
Posted Mar 29, 2009 6:58 UTC (Sun) by ernest (guest, #2355) [Link]
Wel, a translator which loads the old iptable rules could prevent the new high level nftable language from ever being further developped.
This could be a problem, but maybe not. It depends on how much more can be done with the new highlevel nftable language or how efficient the iptable rule translator will be.
Ernest.
Wasn't there an ipchains ---> iptables compatibility mode?
Posted Mar 24, 2009 17:58 UTC (Tue) by felixfix (subscriber, #242) [Link]
Wasn't there an ipchains ---> iptables compatibility mode?
Posted Mar 24, 2009 18:40 UTC (Tue) by wstearns (subscriber, #4102) [Link]
I wrote userspace converters that respectively turned an ipfwadm firewall file into an ipchains firewall (ipfwadm2ipchains) or turned an ipchains firewall into an iptables firewall (ipchains2iptables). Neither created a perfect conversion (there are architectural differences in the firewalls that can't be perfectly converted), but both covered the majority of rules correctly.
The tools can be found at www.stearns.org/i2i/ . Like sausage, they're functional but ugly in their implementation.
-- Bill Stearns
Wasn't there an ipchains ---> iptables compatibility mode?
Posted Mar 25, 2009 1:00 UTC (Wed) by dlang (guest, #313) [Link]
You are totally wrong
Posted Mar 26, 2009 7:51 UTC (Thu) by khim (subscriber, #9252) [Link]
Google for "ipchains emulation" and you'll find tons of links to messages about problems with said in-kernel emulation. May be this is why you remember only conversion scripts? IPchains emulation was incomplete and ineffective - that's why most admins just converted scripts: it was easier to convert scripts then to fight problems in emulation. But is was there - that's for sure...
Nftables: a new packet filtering engine
Posted Mar 24, 2009 18:51 UTC (Tue) by quotemstr (subscriber, #45331) [Link]
But there's already a perfectly good, free, and Free filtering solution that's portable to quite a few operating systems. Why not just port pf to Linux?
I can't help but think that nftables is a case of NIH syndrome.
Nftables: a new packet filtering engine
Posted Mar 24, 2009 19:11 UTC (Tue) by kaber (guest, #18366) [Link]
Nftables: a new packet filtering engine
Posted Mar 24, 2009 19:45 UTC (Tue) by patrick_g (subscriber, #44470) [Link]
>>> Less features is always a hard sellCould you please tell us wich features are missing in pf ?
>>> there's really nothing to gain from it
You gain a very modern and efficient packet filter with a good and clear syntax. pf is part of OpenBSD, FreeBSD, NetBSD, DragonflyBSD and I think it would be wise to, at least, consider and discuss this option.
Nftables: a new packet filtering engine
Posted Mar 24, 2009 19:45 UTC (Tue) by flewellyn (subscriber, #5047) [Link]
Nftables: a new packet filtering engine
Posted Mar 24, 2009 19:51 UTC (Tue) by quotemstr (subscriber, #45331) [Link]
Nftables: a new packet filtering engine
Posted Mar 24, 2009 20:08 UTC (Tue) by flewellyn (subscriber, #5047) [Link]
This was in 2005, so I will grant that things may have changed since then.
Nftables: a new packet filtering engine
Posted Mar 24, 2009 20:11 UTC (Tue) by Alan_Hicks (guest, #20469) [Link]
Nftables: a new packet filtering engine
Posted Mar 25, 2009 13:54 UTC (Wed) by rvfh (guest, #31018) [Link]
Nftables: a new packet filtering engine
Posted Mar 24, 2009 20:00 UTC (Tue) by Alan_Hicks (guest, #20469) [Link]
Setting up class-based or priority-based queues is also ridiculously easy with pf and included right in the code, not as some add-on. One of the features mentioned in the article about nftables is the ability to easily jump to a different rule or class of rules. This was solved years and years ago by pf with the use of anchors.
As far as features go, I just gave you three. There are plenty more (scrubbing packets and antispoof instantly come to mind), but perhaps the best is the sane and clearly readable syntax for pf, not to mention the more powerful pfctl tool[1].
As for porting, pf originated with OpenBSD and has been ported to FreeBSD, NetBSD, and Dragonfly BSD. I'm not programmer though, so I can't say for certain how easy it would be to port to Linux, but my understanding is that there are some fairly radical architecture differences in those four BSDs, particularly in regards to the new off-shoot Dragonfly. I would make a SWAG that porting it wouldn't be any more difficult than writing an entirely new packet filter.
[0] There's an out-of-tree module for iptables that allows binary lists and functions similarly to pf's tables I'm told.
[1] As compared to iptables. I have not looked at the userspace component of nftables at all.
Nftables: a new packet filtering engine
Posted Mar 25, 2009 11:58 UTC (Wed) by osma (subscriber, #6912) [Link]
What I particularly like (as a sysadmin) in pf are two things:
- the configuration syntax is concise, very readable and it is easy to do infrequent adjustments without having to look at the documentation
- after editing the ruleset file, the pfctl tool can be used to do a live update of the kernel ruleset without e.g. breaking existing connections
I don't have an opinion on whether to port pf or not, but I hope that whatever replaces iptables will consider these features. It sounds like the nftables approach has the potential for these, as the ruleset processing is done mostly in user space.
Nftables: a new packet filtering engine
Posted Apr 2, 2009 10:39 UTC (Thu) by jengelh (subscriber, #33263) [Link]
You can do the same with iptables-restore.
Nftables: a new packet filtering engine
Posted Mar 24, 2009 19:18 UTC (Tue) by clugstj (subscriber, #4020) [Link]
I know nothing about this particular case, but many times, the effort to port something is nearly the same as re-inventing it.
Nftables: a new packet filtering engine
Posted Mar 24, 2009 23:24 UTC (Tue) by fuhchee (guest, #40059) [Link]
the effort to port something is nearly the same as re-inventing itAnd only one third the fun.
Nftables: a new packet filtering engine
Posted Mar 25, 2009 3:26 UTC (Wed) by kaber (guest, #18366) [Link]
To clarify: I certainly did consider the way pf does things and there are quite a few things I like better than in iptables, starting with having a language specifically designed for filtering rules, compared to the quite primitive shell command invocation mainly used with iptables.
But porting the kernel side doesn't make sense at all. The code structure doesn't match how things are done in the Linux kernel, the API doesn't match what we want, its tightly coupled to a different NAT and state tracking system and even basic things like rule evaluation order are different from what iptables does. There's no way to transform it into something that can be backwards compatible with iptables/ip6tables/arptables/ebtables without basically rewriting it.
Nftables: a new packet filtering engine
Posted Mar 27, 2009 4:54 UTC (Fri) by rusty (guest, #26) [Link]
shaping and filtering, which is so fragmented in Linux. But I haven't used it in anger.
That said, I feel they've made the same mistake as just about everyone else in conflating NAT
and filtering (the two shouldn't be related: changing your NAT rules should not imply a change to
your filtering rules unless you're being very tricky).
But I always intended iptables as the assembler language of firewalls. Someone was supposed
to write the cool GUI tool which monitored traffic, let you shape and firewall it without touching
this stuff. I'm still waiting :)
Nftables: a new packet filtering engine
Posted Mar 27, 2009 5:21 UTC (Fri) by quotemstr (subscriber, #45331) [Link]
Someone was supposed to write the cool GUI toolOh, people have written neat front-ends. But because there was no de facto standard rule compiler distributed with iptables, all the tutorials, guides, and so on focused on what was universal, direct iptables manipulation. Since everyone was familiar with raw iptables, front-ends were seldom used, and seldom distributed.
pf also has a fairly primitive kernel-side "assembly language", but because pfctl is the way everyone manipulates the kernel state, nobody notices the difference between pf.conf and the raw rules as seen when reading the firewall state back from the kernel.
If, from the start, iptables had an official and useful front-end language tied to exactly the same kernel architecture, I doubt we'd be talking about a replacement today.
changing your NAT rules should not imply a change to your filtering rules unless you're being very trickyIt's still very useful to be able to specify them in the same place. When writing filtering and NAT rules, we mentally track the path of a packet as it transits the network stack; since a packet is subject to filtering and address translation in sequence, it's useful to be able to specify the rules in the same place.
Nftables: a new packet filtering engine
Posted Mar 29, 2009 19:49 UTC (Sun) by job (guest, #670) [Link]
Most home users just use a web based configuration tool, and there are many capable ones. No waiting necessary, but that's a very different problem space.
Nftables: a new packet filtering engine
Posted Mar 27, 2009 18:06 UTC (Fri) by kaber (guest, #18366) [Link]
iptables is, just like the kernel side of nftables, indeed the assembler of firewalling. Userspace is missing a compiler in my opinion though :) One of the differences is that nftables performs file-based parsing by default, so it can collect more information about the entire ruleset. So far it doesn't use much of that context, but I have some ideas for when the important parts are done :)
Typo
Posted Mar 24, 2009 19:11 UTC (Tue) by PhracturedBlue (subscriber, #4193) [Link]
should be 'header' not 'reader' I think.
Nftables: Not addressing VJ channels or userspace tcp
Posted Mar 24, 2009 19:42 UTC (Tue) by hisdad (subscriber, #5375) [Link]
The performance improvement can be large.
The catch is how to do firewalling.
Updating to a new codebase that still doesn't do this is of limited use.
--John
Nftables: Not addressing VJ channels or userspace tcp
Posted Mar 25, 2009 1:17 UTC (Wed) by ras (subscriber, #33059) [Link]
Out of the 3 of them, iptables is probably the least efficient way of doing things since it provides no form of table lookup. Thus you get one linear list of rules which always takes O(n) to process. The others can do table lookups. So iptables it makes sense to replace iptables. But ....
Almost everyone uses iptables to get the job done? Why. Documentation. Rusty's user level documentation for ipchanins and later iptables on the other hand is possibly the best of any kernel documentation I have seen. It sets the standard, and is a fine example others should follow.
The netfilter developers on the other hand have an appalling record for doing documentation. It lies at the other end of the spectrum - possibly the worst documentation for any kernel tool. This tradition started with Alexy, who didn't bother to write a single line of doco on how to use the tc command. Well possibly one line - something along the lines of "see the usage message". His followers, Patrick included, have continued with that fine tradition. As far as I can tell they have never written a single line of user documentation. Thus the man entry for tc on Debian Lenny was written 8 years ago, by someone who trolled the kernel code to figure out how it worked. Recent additions by Jared and Patrick, such as mirred and redirect don't appear in any "official" documentation. The only information we get is quick HOWTO's posted to mailing lists.
If you want to really use this stuff at all you have to troll with google looking for either these snippets, or more commonly HOWTO's posted by others who have stumbled across the solution. Sadly the HOWTO's are often misleading, as you would expect from something developed by finding something close to what they wanted then fiddling to make it work for their particular application. They don't have much of an idea as to what is happening underneath, so their explanations as to why it works tend toward useless. If you really want to use this stuff to its full potential then you only have one choice: read the kernel source.
This may sound like just someone bitching, but if nftables gets in history will almost certainly repeat itself. Alexy decided that doing traffic control on ingress didn't make sense. Nonetheless, people wanted to do it, and eventually the IMQ module made it possible. IMQ had fairly good documentation. But the netfilter guys didn't like the way IMQ did things, so it never made it into the kernel. However the persistent popularity of IMQ eventually pushed them into providing a way to do incoming traffic control within the existing framework. Only, they never did bother documenting it, so figuring out how to use it takes a fair amount of effort. Needless to say IMQ lives on.
And Patrick introduced HSFC, a replacement for CBQ and HTB. Technically, HSFC is better than either - it is a nice qdisc. But naturally documentation is sparse, scattered across the internet, and mostly not written by Patrick.
In a nutshell, I'd take iptables with documentation over nftables without doco any day, regardless of how much better nftables is technically.
At a higher level, Linux is in dire need of a a change to Dave Millers patch acceptance policy. It should go something like this: if you make a kernel change that shows up at use level (eg by changes to the tc command), then the patch will only be accepted if there is a patch for the man page, and preferable a patch to an "official" tutorial somewhere giving examples of typical usage.
Documentation!
Posted Mar 25, 2009 2:20 UTC (Wed) by dskoll (subscriber, #1630) [Link]
Documentation!
Posted Mar 25, 2009 20:22 UTC (Wed) by nix (subscriber, #2304) [Link]
learn, gave up when I realised how undocumented most of it was, and ended
up delegating the job to a Cisco router, which probably does a worse job
of it than the kernel could but at least is documented.
Documentation!
Posted Mar 27, 2009 4:46 UTC (Fri) by rusty (guest, #26) [Link]
called ip-cref.tex and it's in the source distribution of iproute2.
That said, I'd be happy to write a HOWTO for nftables, once it's ready for non-devs. Only takes
about a week to write a decent HOWTO.
Documentation!
Posted Mar 27, 2009 6:26 UTC (Fri) by ras (subscriber, #33059) [Link]
But ip is a relatively simple command compared to tc, and all he provided for it was README.iproute2+tc. I guess without it, I would not have known the purpose of the tc command. For the rest I had to read the source.
> That said, I'd be happy to write a HOWTO for nftables
Bugger future messes these people might create, how about fixing the ones they have left behind? I wrote my own doco when I decided to use tc in anger: http://www.stuart.id.au/russell/files/tc/doc so I am not asking for someone to do something I haven't done myself. And before you ask the obvious question: after dealing with the kernel devs once, I think Conroy must be easier to deal with. Perhaps I exaggerate, but only by a tiny bit.
Documentation!
Posted Mar 27, 2009 18:09 UTC (Fri) by kaber (guest, #18366) [Link]
Documentation!
Posted Mar 27, 2009 23:52 UTC (Fri) by ras (subscriber, #33059) [Link]
Writing reference documentation (like a man page) is something programmers do well. Writing concise (as in contains few redundancies), complete and unambiguous explanations is what most programmers do naturally - and it normally comes easily to them regardless of the language - C or English. I suspect this is why the man page system is one of the best sources of documentation around. There are notable exceptions of course - like the sudo man page, but even that manages to be clearer than some ISO specs I have read.
HOWTO's and tutorials - well rusty seems to have a remarkable talent for it, but he is the exception rather than the rule. The best HOWTO's seem to come from the users.
I see below you are talking of adding nftables as a classifier. This is even better news. It is a way of evolving the mess we have now into something sane.
Documentation!
Posted Jun 4, 2014 19:49 UTC (Wed) by pgoetz (guest, #4931) [Link]
Documentation!
Posted Mar 27, 2009 21:51 UTC (Fri) by giraffedata (guest, #1954) [Link]
But are you saying you'd be better off if there were no traffic control system? Because I believe that's what dskoll's point is: a patch that adds a feature should be rejected unless it additionally adds documentation to help people use it.
There is plenty of open source code I don't use because of lack of quality documentation, but I never fault the person who made the code available to me.
Documentation!
Posted Mar 28, 2009 0:59 UTC (Sat) by ras (subscriber, #33059) [Link]
There is no doubt in this case I _am_ faulting the person who provided the code. Well, to be more accurate, I fault the project. The project should not accept the code without documentation.
Evidently you think this is unreasonable. But my attitude is actually worse, if that is possible - I hold different projects to different standards. I am perfectly happy with a buggy, poorly documented 1000 line utility I found on sourceforge. Yet when it comes to large projects like samba, apache and gcc I expect so much more. I actually expect code and documentation that is at least as good as I get from a commercial vendor. Can you believe that! I actually expect the open source process to produce a better quality product than something I pay money for!
Well unreasonable or not, I write the occasional open source program and I hold myself to those standards. You sort of have to really, because if you produce crap everyone can see it - you ain't some anonymous coder hiding behind an organisation.
Still, I don't produce code as good as I see in the kernel. Patrick, rusty and friends - they hold each other to the highest standards. New code that makes it into the kernel core is usually beautifully written. And the kernel project has a savage review process that ensures it stays that way.
Yet no matter how beautiful the code is, there is no point it if nobody uses it. And that is the situation netfilter finds itself in. Out of all the potential uses it might have it is deployed in, it is in but a fraction of them. This is because figuring out how to use it is a huge effort. Because there is no doco you have to read the source to get a true understanding of how it works. Thus only C programmers who are prepared to troll the kernel and iproute2 source really have a clue. Actually it is even worse than that. In the case of the schedulers the code is (necessarily) so complex the code only gets you part way there. You have to read the original academic papers on the algorithms used. (HTB, being the only scheduler written outside of the kernel team, is the one exception.) The situation is so bad its even defeated all the book writers.
So, returning to the original point, we have arguably the largest open source project of them all, the kernel, churning out code almost no one uses because they don't regard documentation as an important part of the final product. And yeah, I think this means the kernel development process is broken. And yes, I hold the people who drive that development process accountable. They could do so much better.
Documentation!
Posted Apr 16, 2009 6:23 UTC (Thu) by zmi (guest, #4829) [Link]
it, but didn't understand it really. There was a package "wondershaper" on
SUSE Linux, but still I never managed to do much more than add a port to
"higher priority".
Having a clean, logical and documented integration of traffic shaping and
firewalling would be a good reason to switch to nftables.
Of the GUI tools I really like "fwbuilder", although it lacks the ability
to define subroutines so you could compress several checks into one call
and thus make the overall ruleset smaller and cleaner.
Nftables: Not addressing VJ channels or userspace tcp
Posted Mar 25, 2009 3:11 UTC (Wed) by dlang (guest, #313) [Link]
on just about every real-world ruleset I've needed to deal with I was able to split the ruleset up through multiple tables/chains and not only speed up the processing, but make the ruleset smaller and easier to understand.
it's like the complaint about the inability to log and drop in one command. create a separate chain called LOGDROP with two rules, the first unconditionally logs the packet, the second unconditionally drops the packet. then in your rules where you want to log and drop you don't need two conditionals, you just do -j LOGDROP and it does both.
I've had firewall rulesets drop from 2000+ lines to <200 lines by using fairly simple tricks like having one set of rules that just examines the source/destination IP addresses and jumps to another chain that doesn't look at IP addresses, but only considers ports.
very few people seem to realize the power that comes from creating your own chains and splitting different types of checking between them.
nftables could be a significant win on the performance side, but to get there it really should start out by replicating the XXtables functionality that exists today so that users don't _need_ to care about nftables.
Nftables: Not addressing VJ channels or userspace tcp
Posted Mar 25, 2009 4:02 UTC (Wed) by ras (subscriber, #33059) [Link]
However, that is just my reading of the political wind. Personally I don't would not care if one day nftables just replaced iptables. It would not be a huge job to just replace my firewalls - if there was documentation.
As for speed, I think that is a minor issue compared to the code duplication. If you really want a fast firewall you could use a u32 ingress filter now for many purposes. And that is a problem. These layers all implementing similar functions bloat the kernel, slow things down and complicate things immensely. Networking is hard enough without having several different ways of doing things.
Nftables: Not addressing VJ channels or userspace tcp
Posted Mar 28, 2009 0:04 UTC (Sat) by Nelson (subscriber, #21712) [Link]
on just about every real-world ruleset I've needed to deal with I was able to split the ruleset up through multiple tables/chains and not only speed up the processing, but make the ruleset smaller and easier to understand.That's only partially true. Every maintained, real-world firewall, that is run by a more programmery type admin is this way. Just about all the others are complete cluster-Fs.
I've seen more than a few firewalls where people started adding special rules for things, with no documentation and then it changes hands, and after a while it's big, ugly, and nobody knows why it does what it does and they're afraid to change it.
FWIW, a compiler can optimize those big ugly ones down to the minimal set and they can also optimize them for efficiency. It's just about a perfect compiler problem from a textbook or something.. Since that's the case, while it's nice to let the programmer configure the tables and define why packets should flow through the rules of different ones, but it seems like there is a good case to build that compiler and just solve it for everyone.
I've developed a number of products that make use of netfilter in different ways. I like the goals of NFtables. Some of the netfilter plugins are kind of calcified, some are useless, not all are IPv6 compliant; it's worth cleaning it all up and setting a new benchmark.
Nftables: Not addressing VJ channels or userspace tcp
Posted Apr 6, 2009 8:14 UTC (Mon) by dlang (guest, #313) [Link]
the point being that you don't have to throw out the current system to get that, you 'just' need to create the tools to analyse the rulesets and optimize them.
nftables may have some real benefits, but a lot of what's being claimed for it could be done with iptables today, and doing it requires verylimilar tools be written in either case (the difference being if it compiles down to iptables commands or to nftables commands)
it has been commented that iptables was intended to be the assembly language level with the expectation that higher level languages would be written to compile down to it. In practice it is used directly.
it looks like nftables is intended to be the machine language level, making it unsuitable (and effectivly unusable) for admins directly with the expectation that higher level languages will be written to compile down to it.
since the higher level tools were never created for iptables I am concerned that they won't be for nftables, which is why I was calling for the minimum to be a compiler for the existing iptables functions.
people talk a lot about the need for 'high level' firewall/router controls, but as far as I know, nobody has ever produced a usable set of such 'high level' controls. every attempt that I have seen ends up oversimplifying things to the point that they are usable for a very small set of tasks, and as soon as you need _anything_ outside of that set, you have to throw out the 'simple' tool and go back to the low-level tool.
User-space TCP/IP
Posted Mar 26, 2009 22:51 UTC (Thu) by zlynx (guest, #2285) [Link]
If you do not trust your user-space for some reason, then the thing to do would be to force applications to communicate through a user-space daemon process. You would lose performance, just like forcing graphics apps to use the X server instead of direct rendering.
A separate piece of hardware for doing firewall is usually a better idea and if you care about performance enough, you would have one anyway.
Nftables: a new packet filtering engine
Posted Mar 25, 2009 0:07 UTC (Wed) by herge (guest, #57423) [Link]
- no session replication between two firewalls.
- rule-matching should be done only for the first packet of a connection. Actually it is done per packet when using the filter table. While you can do this with PREROUTING, it should be done as a standard.
- RELATED state whould be handled natively, ne need to add RELATED rules for this.
- matching TIME_WAIT state as a default is dangerous : a short-lived TCP connection will be maintained in the connections' table for too long.
- using macro for rule maintenance, as done by pf.
pf and most commercial firewalls perform that way. Iptables' design is way broken.
Nftables: a new packet filtering engine
Posted Mar 25, 2009 1:12 UTC (Wed) by dlang (guest, #313) [Link]
you can match on every packet of the connection. most people don't bother, but all you have to do is to not put 'if established allow' at the top of your ruleset.
the question of what is done automaticaly and what should be done explicitly can be argued forever, I see this as significantly weakening your RELATED complaint.
where does it match TIME_WAIT by default?
as for macros for rule management, with iptables you can use whatever tools you want in userspace to create your rules.
the things you are listing as drawbacks don't seem as drastic to me as they seem to appear to you.
Nftables: a new packet filtering engine
Posted Mar 25, 2009 10:50 UTC (Wed) by herge (guest, #57423) [Link]
# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
120
Once a connection has reached the TIME_WAIT state, it will be kept in the connection table for 120s.
While it can be tuned down, thei behavior should be dropped IMHO.
Nftables: a new packet filtering engine
Posted Mar 25, 2009 2:16 UTC (Wed) by bduncan (subscriber, #6886) [Link]
I for one, am eagerly awaiting nftables!
Nftables: a new packet filtering engine
Posted Mar 28, 2009 3:57 UTC (Sat) by rusty (guest, #26) [Link]
> - no session replication between two firewalls.
Well, that's not really a core iptables responsibility, IMHO.
> - rule-matching should be done only for the first packet of a
> connection. Actually it is done per packet when using the filter table.
> While you can do this with PREROUTING, it should be done as a standard.
Um, this is pretty trivial to set up. You probably want something like:
iptables -N NEWPKTS
iptables -A INPUT -m state --state NEW,INVALID -j NEWPKTS
Then put your rules in the NEWPKTS chain. (For simpler setups, you
can just have your first rule accept all ESTABLISHED and RELATED packets).
> - RELATED state whould be handled natively, ne need to add RELATED rules for this.
But if someone wants to log related packets, such an implicit rule would be a PITA.
> - matching TIME_WAIT state as a default is dangerous : a short-lived TCP
> connection will be maintained in the connections' table for too long.
There's an argument that the assured bit should be reset for TIME_WAIT conns (which makes the eligible for reaping if we need to make space), but you have to keep tracking conns through TIME_WAIT; the state is there in TCP for a reason!
> - using macro for rule maintenance, as done by pf.
This, I think, is your real issue: iptables is too low-level. I agree, but it was a deliberate decision to leave building the higher levels to someone else. As I've alluded elsewhere, it didn't really work.
> pf and most commercial firewalls perform that way. Iptables' design is
> way broken.
See above.
Hope that clarifies,
Rusty.
Scope for porting to network processors
Posted Mar 25, 2009 2:37 UTC (Wed) by alex (subscriber, #1355) [Link]
there would be for porting the virtual nftables code to a network
processor? A lot of high end networking hardware works with custom
networking processors (CPU's tuned to packet inspection/direction).
On a slightly un-related note is the nftables VM sufficient enough to
replicate traffic shaping functionality?
Scope for porting to network processors
Posted Mar 25, 2009 3:32 UTC (Wed) by kaber (guest, #18366) [Link]
Traffic shaping
Posted Mar 26, 2009 20:27 UTC (Thu) by dion (guest, #2764) [Link]
I've had the displeasure of having to set up traffic shaping on a couple of occasions and every time I had to read tons of incomplete documentation and outdated documentation.
I realize that there's always the danger of designing something like this to death, but it would be very cool if a proper, userfiendly integration with traffic shaping could be baked in this time around, the gulf between tc and iptables has been a an absolute catastrophe wrt. usability, mindshare and documentation.
Traffic shaping
Posted Mar 27, 2009 18:35 UTC (Fri) by kaber (guest, #18366) [Link]
I agree on the "designing to death" risk, but this is something that affects the API and because of that needs to be considered from the beginning. I'm about to finish the second-to-last missing part of the API (an API for maintaining sets independently of rules), hooking it up to TC will be the next and probably last bigger part.
Traffic shaping
Posted Mar 27, 2009 23:37 UTC (Fri) by rmayr (guest, #16880) [Link]
quality, but it was understandable from a user point of view. IFB isn't and it doesn't work in
many cases important in practical scenarios. I have been dealing with ingress shaping for
the past 2 years and managed to get many Linux gateways deployed because of the
flexibility that combining netfilter marks with IMQ gave me. IFB so far doesn't seem to be a
capable replacement, and IMQ is broken with >= 2.6.27.
Traffic shaping is becoming more important by the month. It's time to let it become
manageable under Linux.
Traffic shaping
Posted Mar 28, 2009 13:25 UTC (Sat) by dion (guest, #2764) [Link]
Why is it that I can't simply pipe traffic via a queue from any arbitrary firewall rule?
Scope for porting to network processors
Posted Mar 26, 2009 0:05 UTC (Thu) by Thalience (subscriber, #4217) [Link]
Scope for porting to network processors
Posted Mar 28, 2009 20:03 UTC (Sat) by jzbiciak (guest, #5246) [Link]
Nftables: a new packet filtering engine
Posted Mar 25, 2009 11:31 UTC (Wed) by job (guest, #670) [Link]
An excellent article, as always. Nftables is one of those things I really wanted to take a look at "any day now".
As a user/sysadmin, these are the main problems I have with iptables and friends:
- It's too modular. There are about a gazillion modules, one can hardly know about them all. Sometimes they do common operations with slightly different syntax.
- The iptables syntax can be improved. Compared to pf it is much harder to read configuration files, and to update them run-time. With tc you pretty much have to use the u32 classifier, which is sparsely documented.
- Speaking of tc, the integration between traffic management and packet filter must improve. Preferably using the same classifiers and managed with the same tools.
It would also be desirable to use table lookups for large rulesets to improve performance. Nftables seems to be an interesting development. My immediate worries are that Using a byte code interpreter in the kernel is a very dangerous path. It's like a do-everything-syscall, opaque and hard to understand.
Also, what about the connection trackers such as FTP, SIP etc.? Shall they be called from bytecode or reimplemented? They also contribute to duplicated code.
Nftables: a new packet filtering engine
Posted Mar 26, 2009 1:37 UTC (Thu) by gdt (subscriber, #6284) [Link]
My immediate worries are that Using a byte code interpreter in the kernel is a very dangerous path. It's like a do-everything-syscall, opaque and hard to understand.
I think a byte code interpreter would be more secure than the current situation, where people who want to get a particular protocol supported have to write a netfilter module. If you think the user-space documentation for iptables hasn't been maintained for years, well the netfilter documentation is much worse. Compared with new kernel authors writing modules which can access any kernel memory or service using under-documented APIs -- a byte code interpreter looks sane: it limits the memory accessed, it talks the language of networking rather than the kernel, it has a limited API, and it has no locking or other kernel-specific difficulties.
Sure, a byte code interpreter makes it possible to do the wrong thing with a syscall. But that wrong thing can't do anything but access and manipulate packets. It can't cause the kernel to crash and die like a poor netfilter module.
Nftables: a new packet filtering engine
Posted Mar 26, 2009 17:06 UTC (Thu) by samroberts (subscriber, #46749) [Link]
and pre-existed iptables. It does matching, but doesn't have actions.
I find it interesting that the lwn article and what little info I saw
about nftables doesn't either. It seems sufficiently similar, why isn't
it being used as a basis for the opcode interpreter? NIH?
And why the firewalling didn't take a BPF-like approach with an opcode
interpreter and user-space compiler from the start is beyond me.
Nftables: why it isn't based on BPF
Posted Mar 27, 2009 6:55 UTC (Fri) by speedster1 (guest, #8143) [Link]
http://people.netfilter.org/kaber/weblog/2008/08/20/
A very important feature, one that is missing from all other filters that are built similar in the kernel (like BPF, TC u32 filter, ...), is reconstruction of high level constructs from the representation within the kernel. TC u32 for example allows you to specify "ip daddr X", but when dumping the filter rules it will just display an offset and length.
Nftables: a new packet filtering engine
Posted Mar 27, 2009 18:14 UTC (Fri) by kaber (guest, #18366) [Link]
Nftables: a new packet filtering engine
Posted Mar 28, 2009 17:21 UTC (Sat) by yoduh (subscriber, #38527) [Link]
Nftables: a new packet filtering engine
Posted Apr 3, 2009 18:22 UTC (Fri) by trasz (guest, #45786) [Link]
Nftables: a new packet filtering engine
Posted Mar 25, 2009 15:48 UTC (Wed) by mgedmin (subscriber, #34497) [Link]
Does it have _real_ subroutines?
Posted Mar 27, 2009 14:26 UTC (Fri) by Yenya (subscriber, #52846) [Link]
I have an IPtables firewall routing between about 9 vlans, some of which have the security status of "outside world", other having various levels of security (currently I have >1600 iptables rules, and some of the filtering - like blacklisting some IP address blocks - is done on the iproute2 "ip rule" level outside iptables). There is no way how can I say "treat such and such traffic outgoing from one of my VLANs as legal, but consult further the rules for the destination machine on the other VLAN", without replicating some of the rules and without being _extremely_ careful about not calling ACCEPT in some chains.
Also, would the interpreted filtering have any performance impact? I am currently able to route about 1.5 Gbit/s of traffic with those >1600 rules on a dual-CPU opteron box. Would nftables be able to handle it as well?
Does it have _real_ subroutines?
Posted Mar 27, 2009 18:26 UTC (Fri) by kaber (guest, #18366) [Link]
About performance: the current version is missing some optimizations and is noticably slower than iptables with linear classification. I have a few optimization patches that inline small aligned data loads and comparisons into the main evaluation loop, which results in about equal performace to iptables (it can't be compared directly).
Where nftables gives better performance is when you're able to restructure your rulesets to make use of sets and jump and data maps to reduce the amount of rules evaluated for each packet. Sets are pretty obvious I guess, with jump maps you can structure your ruleset as a tree and have efficient classification in the nodes. Data maps allow you collaps similar rules than differ only in the target, f.i.:
iptables ... -i vlan0 -j SNAT --to-source ip1
...
iptables ... -i vlanN -j SNAT --to-source ipN
becomes
nft ... snat map meta iif { vlan0 => ip1, ..., vlanN => ipN }
Does it have _real_ subroutines?
Posted Mar 27, 2009 21:00 UTC (Fri) by Yenya (subscriber, #52846) [Link]
Please, please, PLEASE merge this!
Posted Apr 2, 2009 10:02 UTC (Thu) by ringerc (subscriber, #3071) [Link]
- Can quickly and efficiently compile and load rules from a single simple file without hundreds or thousands of invocations of the `iptables' process
- Can implement sane error handling for rule definition; and
- Can potentially TRANSACTIONALLY APPLY RULE CHANGES
*PLEASE* merge this. I've wanted these capabilities for so long - iptables' userspace interface is SO awful to work with.
Please, please, PLEASE merge this!
Posted Apr 2, 2009 10:36 UTC (Thu) by mgb (guest, #3226) [Link]
Please, please, PLEASE merge this!
Posted Apr 3, 2009 18:24 UTC (Fri) by trasz (guest, #45786) [Link]
now? ;-)
Nftables: a new packet filtering engine
Posted Apr 2, 2009 10:45 UTC (Thu) by jengelh (subscriber, #33263) [Link]
_Four_ of them: ip, ip6, arp, eb.
And the kickoff for the mess is that someone decided to do a parallel copy, from struct ipt_ip to ip6t_ip6 instead of creating a higher level that could contain either ipt or ip6t as sub-data. (E.g. footabels -m ip6t) Then lots of the table management mess could have been avoided.
Nftables: a new packet filtering engine
Posted Apr 3, 2009 5:40 UTC (Fri) by ejmarkow (guest, #56170) [Link]
Nftables: a new packet filtering engine
Posted Apr 3, 2009 13:02 UTC (Fri) by nix (subscriber, #2304) [Link]
than iptables, so porting (really 'reimplementing') it isn't something
that's terribly likely to happen.
Nftables: a new packet filtering engine
Posted Apr 3, 2009 18:18 UTC (Fri) by xorbe (guest, #3165) [Link]
Nftables: a new packet filtering engine
Posted Apr 4, 2009 18:56 UTC (Sat) by mjcoder (guest, #54432) [Link]
Nftables: a new packet filtering engine
Posted Apr 4, 2009 20:02 UTC (Sat) by nix (subscriber, #2304) [Link]
Nftables: a new packet filtering engine
Posted Apr 6, 2009 15:49 UTC (Mon) by kanchev (guest, #42519) [Link]