Difference between revisions of "Talk:Nftables"

From ArchWiki
Jump to navigation Jump to search
 
(3 intermediate revisions by 2 users not shown)
Line 3: Line 3:
  
 
--sudokode (2014-01-27 17:27:30 UTC)
 
--sudokode (2014-01-27 17:27:30 UTC)
 +
 +
==Bad practice and redundant code==
 +
Sitting beside the nftables maintainer, asking for feedback.
 +
 +
This page's sample rulesets could use a good cleanup. I'll do that soon.
 +
 +
TCP flag checks are not necessary, because you can just check for whether the packet is in an invalid state, or just not whitelist:
 +
<pre>/* table of valid flag combinations - PUSH, ECE and CWR are always valid */
 +
static const u8 tcp_valid_flags[(TCPHDR_FIN|TCPHDR_SYN|TCPHDR_RST|TCPHDR_ACK|
 +
                                TCPHDR_URG) + 1] =
 +
{
 +
        [TCPHDR_SYN]                            = 1,
 +
        [TCPHDR_SYN|TCPHDR_URG]                = 1,
 +
        [TCPHDR_SYN|TCPHDR_ACK]                = 1,
 +
        [TCPHDR_RST]                            = 1,
 +
        [TCPHDR_RST|TCPHDR_ACK]                = 1,
 +
        [TCPHDR_FIN|TCPHDR_ACK]                = 1,
 +
        [TCPHDR_FIN|TCPHDR_ACK|TCPHDR_URG]      = 1,
 +
        [TCPHDR_ACK]                            = 1,
 +
        [TCPHDR_ACK|TCPHDR_URG]                = 1,
 +
};
 +
</pre>
 +
 +
ICMPv6 rate limiting like in the example is just stupid, for it breaks neighbour discovery (IPv6 ARP), ICMP isn't expensive to process, and it's not ICMP in of itself that is the problem. Anyhow, QoS is the job of the traffic control subsystem.
 +
 +
We probably should make not of kernel requirements for rulesets (e.g., 3.18+, so won't work with 3.14 linux-lts).
 +
 +
Maybe we should also provide guidance for getting upstream documentation, and troubleshooting. Attendance to netdev01 confirmed that it is in quite active development, and lots of usability features and fixes are in the pipeline.
 +
 +
Allowing all ICMP is not necessary, and is already handled by conntrack RELATED,ESTABLISHED.
 +
-- alp (2015-02-17
 +
 +
== nft 0.7 warning entry ==
 +
 +
Hey, thanks for discussion!
 +
 +
I've did research and now know what the issue is. I will replace the warning with a note.
 +
 +
For the config not working reason check out https://unix.stackexchange.com/questions/408497/nftables-configuration-error-conflicting-protocols-specified-inet-service-v-i?rq=1
 +
 +
Cheers,
 +
Hetti
 +
{{Unsigned|15:29, 5 February 2019 (UTC)|Hetti}}

Latest revision as of 09:30, 6 February 2019

Future article updates

I'm gonna be messing around with this page quite a bit in the coming weeks. The docs are pretty sparse, so it's gonna take some tinkering.

--sudokode (2014-01-27 17:27:30 UTC)

Bad practice and redundant code

Sitting beside the nftables maintainer, asking for feedback.

This page's sample rulesets could use a good cleanup. I'll do that soon.

TCP flag checks are not necessary, because you can just check for whether the packet is in an invalid state, or just not whitelist:

/* table of valid flag combinations - PUSH, ECE and CWR are always valid */
static const u8 tcp_valid_flags[(TCPHDR_FIN|TCPHDR_SYN|TCPHDR_RST|TCPHDR_ACK|
                                 TCPHDR_URG) + 1] =
{
        [TCPHDR_SYN]                            = 1,
        [TCPHDR_SYN|TCPHDR_URG]                 = 1,
        [TCPHDR_SYN|TCPHDR_ACK]                 = 1,
        [TCPHDR_RST]                            = 1,
        [TCPHDR_RST|TCPHDR_ACK]                 = 1,
        [TCPHDR_FIN|TCPHDR_ACK]                 = 1,
        [TCPHDR_FIN|TCPHDR_ACK|TCPHDR_URG]      = 1,
        [TCPHDR_ACK]                            = 1,
        [TCPHDR_ACK|TCPHDR_URG]                 = 1,
};

ICMPv6 rate limiting like in the example is just stupid, for it breaks neighbour discovery (IPv6 ARP), ICMP isn't expensive to process, and it's not ICMP in of itself that is the problem. Anyhow, QoS is the job of the traffic control subsystem.

We probably should make not of kernel requirements for rulesets (e.g., 3.18+, so won't work with 3.14 linux-lts).

Maybe we should also provide guidance for getting upstream documentation, and troubleshooting. Attendance to netdev01 confirmed that it is in quite active development, and lots of usability features and fixes are in the pipeline.

Allowing all ICMP is not necessary, and is already handled by conntrack RELATED,ESTABLISHED. -- alp (2015-02-17

nft 0.7 warning entry

Hey, thanks for discussion!

I've did research and now know what the issue is. I will replace the warning with a note.

For the config not working reason check out https://unix.stackexchange.com/questions/408497/nftables-configuration-error-conflicting-protocols-specified-inet-service-v-i?rq=1

Cheers, Hetti —This unsigned comment is by Hetti (talk) 15:29, 5 February 2019 (UTC). Please sign your posts with ~~~~!