Weekly Edition
Return to the Kernel page
| |||||||||||||
Nftables: a new packet filtering engine
Packet filtering and firewalling has a long history in Linux. The first
filtering mechanism, called "ipfwadm," was released in 1995 for
the 1.2.1 kernel. This code was used until the 2.2.0 stable release
(January, 1999), when the new "ipchains" module took over. While ipchains
was useful, it only lasted until 2.4.0 (January, 2001), when it, too, was
replaced by iptables/netfilter, which remains in the kernel now. If
netfilter maintainer Patrick McHardy has his way, though, iptables, too, will be
gone in the future, replaced by yet another mechanism called
"nftables." This article will give an overview of how nftables works,
followed by a discussion of the motivations behind this change.
The first public nftables release came out on March 18. This code has been in the works for a while, though, and the ideas were discussed at the 2008 Netfilter Workshop. So nftables is not quite as new as it might seem. The current iptables code has a lot of protocol awareness built into it. There is, for example, a module dedicated to extracting port numbers from UDP packets which is different from the module concerned with TCP packets. The nftables implementation is entirely different; there is no protocol knowledge built into it at all. Instead, nftables is implemented as a simple virtual machine which interprets code loaded from user space. So nftables has no operation which says anything like "compare the IP destination address to 196.168.0.1"; instead, it would execute code which looks like:
payload load 4 offset network header + 16 => reg 1
compare reg 1 192.168.0.1
(Patrick presents the code in mnemonic form, and your editor will do the same; the actual code loaded into the kernel uses opcodes instead). The first line loads four bytes from the packet, located 16 bytes past the beginning of the network reader, into register 1. The second line then compares that register against the given network address. The language can do a lot more than just comparing addresses, of course. There is, for example, a set lookup feature. Consider the following:
payload load 4 offset network header + 16 => reg 1
set lookup reg 1 load result in verdict register
{ "192.168.0.1" : jump chain1,
"192.168.0.2" : drop,
"192.168.0.3" : jump chain2 }
This code will cause packets aimed at 192.168.0.2 to be dropped; for the other two listed addresses, control will be sent to specific rule chains. This set feature allows for multi-branch rules in a way which cannot be done with the current iptables implementation (though the ipset mechanism helps in that regard). The above code also introduces the "verdict register," which records an action to be performed on a packet. In nftables, more than one verdict can be rendered on a packet; it is possible to add a packet to a specific counter, log it, and drop it all in a single chain without the need (as seen in iptables) to repeat tests. There are a number of other capabilities built into the nftables virtual machine. There's a set of operations for communicating with the connection-tracking mechanism, allowing connection information to be used in deciding the fate of specific packets. Other operators deal with various bits of packet metadata known to the networking subsystem; these include the length, the protocol type, security mark information, and more. Operators exist for logging packets and incrementing counters. There's also a full set of comparison operations, of course. Network administrators are unlikely to be impressed by the idea of programming a low-level virtual machine for their future firewalling needs. The good news is that there will be no need for them to do so. Instead, they'll write higher-level rules which will then be compiled into virtual machine code before being loaded into the kernel. The nftables utility does this work, implementing a human-readable language encapsulating most of the needed information about how packets are put together. So, if we look back to the first test described above:
payload load 4 offset network header + 16 => reg 1
compare reg 1 192.168.0.1
The administrator would simply write "ip daddr 192.168.0.1" and let nftables turn that into the above code. A full (if simple) rule looks something like this:
rule add ip filter output ip daddr 192.168.0.1 counter
This rule will count packets sent to 192.168.0.1. The new nftables API is based on netlink, naturally. Unlike the current iptables API, it has the ability to modify individual rules without the need to reload the entire configuration. There is also a decompilation facility built into nftables that allows the recreation of human-readable rules from the current in-kernel configuration. [PULL QUOTE: This could be a disruptive and expensive transition; the kernel development community will want to see some very good reasons for inflicting this pain on its users. END QUOTE] All told, it looks like a nicely-designed packet filtering mechanism, but the merging of nftables is likely to be controversial. The iptables mechanism works well, and is widely used; replacing it with code which breaks the user-space API and breaks all existing iptables configurations is guaranteed to raise some eyebrows. This could be a disruptive and expensive transition, even if, as seems necessary, the developers commit to maintaining both iptables and nftables in the mainline for an extended period of time. The kernel development community will want to see some very good reasons for inflicting this pain on its users. There are some good reasons, but one should start by noting that it should be possible to create a tool which reads current iptables configurations and converts them to the nftables language - or even directly to kernel virtual machine code. Patrick seems to expect to create such a tool One Of These Days, but it does not exist at this time. Some of the reasons for replacing iptables have already been hinted at above. The protocol knowledge built into the iptables code has turned out to be a problem over time; there is a lot of duplicated code doing the same thing (extracting port numbers, say) for different protocols. Even worse, the capabilities and syntax tend to vary from one protocol to the next. By moving all of that knowledge out to user space, nftables greatly simplifies the in-kernel code and allows for much more consistent treatment of all protocols. There are a lot of optimization possibilities built into the new system. Some expensive operations (incrementing counters, for example) can be skipped unless the user really needs them. Features like set lookups and range mapping can collapse a whole set of iptables rules into a single nftables operation. Since filtering rules are now compiled, there is also potential for the compiler to optimize the rules further. Traditional firewall configurations tend to perform the same tests repeatedly; a smart nftables compiler could eliminate much of that duplicated work. Unsurprisingly, this optimization remains on the "to do" list for now, but the fact that all of this work is done in user space will make it easy to add such features in the future. The nftables tool will also be able to perform a higher level of validation on the rules it is given, and it will be able to provide more useful diagnostics than can be had from the iptables code. But, arguably, the most important motivation is the ability to dump the current ABI. The iptables ABI has become an increasing impediment to development over time. It includes protocol-specific fields which has made it hard to extend; that is part of why there are actually three copies of the iptables code in the kernel. When developers wanted to implement arptables and ebtables, they essentially had to copy the code and bang it into a new, protocol-specific shape. Patrick estimates that, even after four years of unification work, the kernel contains some 10,000 lines of duplicated filtering code. Beyond that, the structures used in the ABI are also used directly in the kernel's internal representation, making that implementation even harder to change. Separating the two would be possible through the addition of a translation layer, but the details involved (including the need to translate in both directions) increase the risk of adding subtle problems. In summary, the iptables ABI has become a serious impediment to further progress in packet filtering. Nftables is a chance to dump all of that code and replace it with a much smaller filtering core which should prove to be quite a bit more flexible. With any luck, nftables should last a long time; the virtual machine can be extended in unexpected ways without the need to break the user-space ABI (again). It's smaller size should make it well suited to small router deployments, while its lockless design should appeal to administrators of high-end systems. All told, chances are good that the larger community will eventually see this change as being worthwhile. But not for a while: there are some unfinished pieces in nftables, and the larger discussion has not yet begun. (For more information, see this weblog posting from August, 2008 and the slides from Patrick's presentation [ODF] at the Netfilter Workshop). (Log in to post comments)
Nftables: a new packet filtering engine Posted Mar 24, 2009 17:25 UTC (Tue) by JoeBuck (subscriber, #2330) [Link] If there were a translator that could take iptables rules and produce nftables rules, either the high-level form or the virtual machine form, then it seems that this change would be a no-brainer: iptables firewalls keep working and the kernel has a smaller, more flexible and powerful implementation. But without such a translator, users lose big-time.So a translator should be a prerequisite for accepting nftables, because it allows iptables to go away.
Nftables: a new packet filtering engine Posted Mar 24, 2009 17:44 UTC (Tue) by yokem_55 (subscriber, #10498) [Link]
The main requirement for a translator though is that it cannot cause subtle changes in behavior between the original iptables implementation and the translated nftables implementation. It would seem to me that the less risky, and perhaps easier transition would be to mark iptables as deprecated, merge nftables in parallel with iptables, and in a couple of years pull the plug on iptables. By that time it should be clear if a translator can work reliably, and for most folks to implement their filters in nftables "native" code.
Nftables: a new packet filtering engine Posted Mar 24, 2009 17:58 UTC (Tue) by martinfick (subscriber, #4455) [Link]
Or, maybe a change like this to the user ABI (removing iptables) could be done by bumping to a 2.8 number?
Nftables: a new packet filtering engine Posted Mar 24, 2009 18:21 UTC (Tue) by kaber (subscriber, #18366) [Link]
Translating normal header matches like address and port matches should work fine, there really arent't any subtleties in that area. It might look differently in case of matches with more complex behaviour, like, lets say, the policy match. But with the necessary care I wouldn't expect many problems.
That said, iptables is certainly going to stay for quite a while. The rough plan so far is to add a converter/parser for the old syntax, shake out the bugs, and at some point transparently enable it in userspace once it has proven itself. A couple of years sounds realistic to me. But since this hasn't been discussed yet, things might also turn out differently.
Nftables: a new packet filtering engine Posted Mar 24, 2009 22:17 UTC (Tue) by man_ls (subscriber, #15091) [Link] I like this. So, if I understood well, an iptables-like command (with syntax identical to the old-style command) will transparently generate new-style rules and load them? That would be a very good proof of the versatility of the new engine.
Nftables: a new packet filtering engine Posted Mar 29, 2009 6:58 UTC (Sun) by ernest (subscriber, #2355) [Link]
Wel, a translator which loads the old iptable rules could prevent the new high level nftable language from ever being further developped.
This could be a problem, but maybe not. It depends on how much more can be done with the new highlevel nftable language or how efficient the iptable rule translator will be.
Ernest.
Wasn't there an ipchains ---> iptables compatibility mode? Posted Mar 24, 2009 17:58 UTC (Tue) by felixfix (subscriber, #242) [Link]
Been a while since I did much with packet filtering, since my setups haven't changed much. Wasn't there a compatibility mode when iptables was introduced, or a converter?
Wasn't there an ipchains ---> iptables compatibility mode? Posted Mar 24, 2009 18:40 UTC (Tue) by wstearns (✭ supporter ✭, #4102) [Link]
I'm getting rusty (the pun was truly unintentional) on this, but I believe there was an ipchains kernel module that loaded on top of an iptables architecture kernel. You could do most ipchains tasks with it. You could not mix rules (some ipchains rules and some iptables rules); it was an all-or-nothing switch.
I wrote userspace converters that respectively turned an ipfwadm firewall file into an ipchains firewall (ipfwadm2ipchains) or turned an ipchains firewall into an iptables firewall (ipchains2iptables). Neither created a perfect conversion (there are architectural differences in the firewalls that can't be perfectly converted), but both covered the majority of rules correctly.
The tools can be found at www.stearns.org/i2i/ . Like sausage, they're functional but ugly in their implementation.
Wasn't there an ipchains ---> iptables compatibility mode? Posted Mar 25, 2009 1:00 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
there were a lot over conversion scripts, but nothing in the kernel.
You are totally wrong Posted Mar 26, 2009 7:51 UTC (Thu) by khim (subscriber, #9252) [Link] Google for "ipchains emulation" and you'll find tons of links to messages about problems with said in-kernel emulation. May be this is why you remember only conversion scripts? IPchains emulation was incomplete and ineffective - that's why most admins just converted scripts: it was easier to convert scripts then to fight problems in emulation. But is was there - that's for sure...
Nftables: a new packet filtering engine Posted Mar 24, 2009 18:51 UTC (Tue) by quotemstr (subscriber, #45331) [Link]
Yet another filtering language? Granted, the system looks a little less imposing than iptables, and that's a good thing.
But there's already a perfectly good, free, and Free filtering solution that's portable to quite a few operating systems. Why not just port pf to Linux?
I can't help but think that nftables is a case of NIH syndrome.
Nftables: a new packet filtering engine Posted Mar 24, 2009 19:11 UTC (Tue) by kaber (subscriber, #18366) [Link]
It is a lot less flexible than even iptables. Less features is always a hard sell. It would also need massive changes to be able to represent an iptables ruleset, so there's really nothing to gain from it.
Nftables: a new packet filtering engine Posted Mar 24, 2009 19:45 UTC (Tue) by patrick_g (subscriber, #44470) [Link] >>> Less features is always a hard sellCould you please tell us wich features are missing in pf ? >>> there's really nothing to gain from it You gain a very modern and efficient packet filter with a good and clear syntax. pf is part of OpenBSD, FreeBSD, NetBSD, DragonflyBSD and I think it would be wise to, at least, consider and discuss this option.
Nftables: a new packet filtering engine Posted Mar 24, 2009 19:45 UTC (Tue) by flewellyn (subscriber, #5047) [Link]
Too true on the "less flexible" bit. PF is a nice idea, but the OpenBSD folk did not add nearly as much flexibility to the system as iptables offers. Doing NAT with it is easy enough in the default setting, but more complex stuff, I found painful.
Nftables: a new packet filtering engine Posted Mar 24, 2009 19:51 UTC (Tue) by quotemstr (subscriber, #45331) [Link]
What exactly were you trying to do?
Nftables: a new packet filtering engine Posted Mar 24, 2009 20:08 UTC (Tue) by flewellyn (subscriber, #5047) [Link]
Route between two NATted LANs and the WAN, with port forwarding and connection tracking. It got hairy when I tried to set up the connection tracking between the two LANs. The WAN-to-LANs tracking wasn't too hard.
This was in 2005, so I will grant that things may have changed since then.
Nftables: a new packet filtering engine Posted Mar 24, 2009 20:11 UTC (Tue) by Alan_Hicks (subscriber, #20469) [Link]
Yeah, that's really pretty easy to do with pf. You should give it a look next time you need a firewall, particularly one with several different interfaces and needs.
Nftables: a new packet filtering engine Posted Mar 25, 2009 13:54 UTC (Wed) by rvfh (subscriber, #31018) [Link]
How about a PF to Nftables translator, along with the iptables to Nftables translator? Isn't that one of the real strength of Nftables, flexibility?
Nftables: a new packet filtering engine Posted Mar 24, 2009 20:00 UTC (Tue) by Alan_Hicks (subscriber, #20469) [Link]
Could you please expand on the "lot less flexible than iptables" comment? In my experience, I've found it to be far far more flexible than iptables. With the ability to update tables in pf from userspace, not to mention the insane performance boost from tables over individual rules[0], it's not only more flexible but outperforms iptables.
Setting up class-based or priority-based queues is also ridiculously easy with pf and included right in the code, not as some add-on. One of the features mentioned in the article about nftables is the ability to easily jump to a different rule or class of rules. This was solved years and years ago by pf with the use of anchors.
As far as features go, I just gave you three. There are plenty more (scrubbing packets and antispoof instantly come to mind), but perhaps the best is the sane and clearly readable syntax for pf, not to mention the more powerful pfctl tool[1].
As for porting, pf originated with OpenBSD and has been ported to FreeBSD, NetBSD, and Dragonfly BSD. I'm not programmer though, so I can't say for certain how easy it would be to port to Linux, but my understanding is that there are some fairly radical architecture differences in those four BSDs, particularly in regards to the new off-shoot Dragonfly. I would make a SWAG that porting it wouldn't be any more difficult than writing an entirely new packet filter.
[0] There's an out-of-tree module for iptables that allows binary lists and functions similarly to pf's tables I'm told.
Nftables: a new packet filtering engine Posted Mar 25, 2009 11:58 UTC (Wed) by osma (subscriber, #6912) [Link] What I particularly like (as a sysadmin) in pf are two things:
I don't have an opinion on whether to port pf or not, but I hope that whatever replaces iptables will consider these features. It sounds like the nftables approach has the potential for these, as the ruleset processing is done mostly in user space.
Nftables: a new packet filtering engine Posted Apr 2, 2009 10:39 UTC (Thu) by jengelh (subscriber, #33263) [Link]
>after editing the ruleset file, the pfctl tool can be used to do a live update of the kernel ruleset without e.g. breaking existing connections
You can do the same with iptables-restore.
Nftables: a new packet filtering engine Posted Mar 24, 2009 19:18 UTC (Tue) by clugstj (subscriber, #4020) [Link]
"just port pf to Linux"
I know nothing about this particular case, but many times, the effort to port something is nearly the same as re-inventing it.
Nftables: a new packet filtering engine Posted Mar 24, 2009 23:24 UTC (Tue) by fuhchee (guest, #40059) [Link] the effort to port something is nearly the same as re-inventing itAnd only one third the fun.
Nftables: a new packet filtering engine Posted Mar 25, 2009 3:26 UTC (Wed) by kaber (subscriber, #18366) [Link]
Indeed :)
To clarify: I certainly did consider the way pf does things and there are quite a few things I like better than in iptables, starting with having a language specifically designed for filtering rules, compared to the quite primitive shell command invocation mainly used with iptables.
But porting the kernel side doesn't make sense at all. The code structure doesn't match how things are done in the Linux kernel, the API doesn't match what we want, its tightly coupled to a different NAT and state tracking system and even basic things like rule evaluation order are different from what iptables does. There's no way to transform it into something that can be backwards compatible with iptables/ip6tables/arptables/ebtables without basically rewriting it.
Nftables: a new packet filtering engine Posted Mar 27, 2009 4:54 UTC (Fri) by rusty (✭ supporter ✭, #26) [Link]
The thing I really like about pf is that it's an all-in-one control. No separate tools for traffic
shaping and filtering, which is so fragmented in Linux. But I haven't used it in anger.
That said, I feel they've made the same mistake as just about everyone else in conflating NAT
But I always intended iptables as the assembler language of firewalls. Someone was supposed
Nftables: a new packet filtering engine Posted Mar 27, 2009 5:21 UTC (Fri) by quotemstr (subscriber, #45331) [Link] Someone was supposed to write the cool GUI toolOh, people have written neat front-ends. But because there was no de facto standard rule compiler distributed with iptables, all the tutorials, guides, and so on focused on what was universal, direct iptables manipulation. Since everyone was familiar with raw iptables, front-ends were seldom used, and seldom distributed. pf also has a fairly primitive kernel-side "assembly language", but because pfctl is the way everyone manipulates the kernel state, nobody notices the difference between pf.conf and the raw rules as seen when reading the firewall state back from the kernel. If, from the start, iptables had an official and useful front-end language tied to exactly the same kernel architecture, I doubt we'd be talking about a replacement today. changing your NAT rules should not imply a change to your filtering rules unless you're being very trickyIt's still very useful to be able to specify them in the same place. When writing filtering and NAT rules, we mentally track the path of a packet as it transits the network stack; since a packet is subject to filtering and address translation in sequence, it's useful to be able to specify the rules in the same place.
Nftables: a new packet filtering engine Posted Mar 29, 2009 19:49 UTC (Sun) by job (guest, #670) [Link]
Another reason may be that few network professionals really wants a GUI tool. They want something that's readable yet concise, supports just the right amount of macro processing, and is easy to deploy on a large scale. It's not strange that Cisco is still highly regarded despite the fact that they never made a GUI tool that people actually use.
Most home users just use a web based configuration tool, and there are many capable ones. No waiting necessary, but that's a very different problem space.
Nftables: a new packet filtering engine Posted Mar 27, 2009 18:06 UTC (Fri) by kaber (subscriber, #18366) [Link]
I agree, one more reason is that NAT rules affect connections, while filtering rules affect both packets and connections and are evaluated on a per-packet base.
iptables is, just like the kernel side of nftables, indeed the assembler of firewalling. Userspace is missing a compiler in my opinion though :) One of the differences is that nftables performs file-based parsing by default, so it can collect more information about the entire ruleset. So far it doesn't use much of that context, but I have some ideas for when the important parts are done :)
Typo Posted Mar 24, 2009 19:11 UTC (Tue) by PhracturedBlue (subscriber, #4193) [Link]
"...past the beginning of the network reader, into register 1..."
should be 'header' not 'reader' I think.
Nftables: Not addressing VJ channels or userspace tcp Posted Mar 24, 2009 19:42 UTC (Tue) by hisdad (subscriber, #5375) [Link]
One of the nice things for the future is to move the TCP/IP stack into userspace. The Kernel then runs VJ channels (Discussed here some time back).
The performance improvement can be large.
The catch is how to do firewalling.
Updating to a new codebase that still doesn't do this is of limited use.
--John
Nftables: Not addressing VJ channels or userspace tcp Posted Mar 25, 2009 1:17 UTC (Wed) by ras (subscriber, #33059) [Link]
Sounds like nftables is a technical improvement on iptables. The networking stack could do with a few technical improvements. Yes, there is a lot of duplication in the various xxxtables implementations. But then there is a lot of overlap between xxxtables and netfilter itself. And not a small amount of overlap between the functions provided by xxxtables, xxxfilter and the routing tables. You can, for example, use any one of them to drop a packet. If what Patrick has done addresses the duplication all the way down the stack, then it is a huge improvement.
Out of the 3 of them, iptables is probably the least efficient way of doing things since it provides no form of table lookup. Thus you get one linear list of rules which always takes O(n) to process. The others can do table lookups. So iptables it makes sense to replace iptables. But ....
Almost everyone uses iptables to get the job done? Why. Documentation. Rusty's user level documentation for ipchanins and later iptables on the other hand is possibly the best of any kernel documentation I have seen. It sets the standard, and is a fine example others should follow.
The netfilter developers on the other hand have an appalling record for doing documentation. It lies at the other end of the spectrum - possibly the worst documentation for any kernel tool. This tradition started with Alexy, who didn't bother to write a single line of doco on how to use the tc command. Well possibly one line - something along the lines of "see the usage message". His followers, Patrick included, have continued with that fine tradition. As far as I can tell they have never written a single line of user documentation. Thus the man entry for tc on Debian Lenny was written 8 years ago, by someone who trolled the kernel code to figure out how it worked. Recent additions by Jared and Patrick, such as mirred and redirect don't appear in any "official" documentation. The only information we get is quick HOWTO's posted to mailing lists.
If you want to really use this stuff at all you have to troll with google looking for either these snippets, or more commonly HOWTO's posted by others who have stumbled across the solution. Sadly the HOWTO's are often misleading, as you would expect from something developed by finding something close to what they wanted then fiddling to make it work for their particular application. They don't have much of an idea as to what is happening underneath, so their explanations as to why it works tend toward useless. If you really want to use this stuff to its full potential then you only have one choice: read the kernel source.
This may sound like just someone bitching, but if nftables gets in history will almost certainly repeat itself. Alexy decided that doing traffic control on ingress didn't make sense. Nonetheless, people wanted to do it, and eventually the IMQ module made it possible. IMQ had fairly good documentation. But the netfilter guys didn't like the way IMQ did things, so it never made it into the kernel. However the persistent popularity of IMQ eventually pushed them into providing a way to do incoming traffic control within the existing framework. Only, they never did bother documenting it, so figuring out how to use it takes a fair amount of effort. Needless to say IMQ lives on.
And Patrick introduced HSFC, a replacement for CBQ and HTB. Technically, HSFC is better than either - it is a nice qdisc. But naturally documentation is sparse, scattered across the internet, and mostly not written by Patrick.
In a nutshell, I'd take iptables with documentation over nftables without doco any day, regardless of how much better nftables is technically.
At a higher level, Linux is in dire need of a a change to Dave Millers patch acceptance policy. It should go something like this: if you make a kernel change that shows up at use level (eg by changes to the tc command), then the patch will only be accepted if there is a patch for the man page, and preferable a patch to an "official" tutorial somewhere giving examples of typical usage.
Documentation! Posted Mar 25, 2009 2:20 UTC (Wed) by dskoll (subscriber, #1630) [Link]
I would like to mod the previous comment regarding documentation up 1000 points!
Documentation! Posted Mar 25, 2009 20:22 UTC (Wed) by nix (subscriber, #2304) [Link]
Seconded. I have no clue how to use the traffic control system: I tried to
learn, gave up when I realised how undocumented most of it was, and ended up delegating the job to a Cisco router, which probably does a worse job of it than the kernel could but at least is documented.
Documentation! Posted Mar 27, 2009 4:46 UTC (Fri) by rusty (✭ supporter ✭, #26) [Link]
Actually, Alexey wrote excellent (if highly technical) documentation for the ip command. It's
called ip-cref.tex and it's in the source distribution of iproute2.
That said, I'd be happy to write a HOWTO for nftables, once it's ready for non-devs. Only takes
Documentation! Posted Mar 27, 2009 6:26 UTC (Fri) by ras (subscriber, #33059) [Link]
Yes. He did. I have read it many a time, along with its companion ip-tunnels.tex. However iproute has two main commands: ip and tc. ip-cref.tex and ip-tunnels.txt only cover ip. I have no problem with either of them, other than perhaps him not providing them in the form of a man page.
But ip is a relatively simple command compared to tc, and all he provided for it was README.iproute2+tc. I guess without it, I would not have known the purpose of the tc command. For the rest I had to read the source.
> That said, I'd be happy to write a HOWTO for nftables
Bugger future messes these people might create, how about fixing the ones they have left behind? I wrote my own doco when I decided to use tc in anger: http://www.stuart.id.au/russell/files/tc/doc so I am not asking for someone to do something I haven't done myself. And before you ask the obvious question: after dealing with the kernel devs once, I think Conroy must be easier to deal with. Perhaps I exaggerate, but only by a tiny bit.
Documentation! Posted Mar 27, 2009 18:09 UTC (Fri) by kaber (subscriber, #18366) [Link]
pdf and man-generation from docbook source are integrated and I even already wrote a few lines :) While I'm not good at writing HOWTO's, I intend to write command reference, syntax etc. documentation.
Documentation! Posted Mar 27, 2009 23:52 UTC (Fri) by ras (subscriber, #33059) [Link]
This is great news.
Writing reference documentation (like a man page) is something programmers do well. Writing concise (as in contains few redundancies), complete and unambiguous explanations is what most programmers do naturally - and it normally comes easily to them regardless of the language - C or English. I suspect this is why the man page system is one of the best sources of documentation around. There are notable exceptions of course - like the sudo man page, but even that manages to be clearer than some ISO specs I have read.
HOWTO's and tutorials - well rusty seems to have a remarkable talent for it, but he is the exception rather than the rule. The best HOWTO's seem to come from the users.
I see below you are talking of adding nftables as a classifier. This is even better news. It is a way of evolving the mess we have now into something sane.
Documentation! Posted Mar 27, 2009 21:51 UTC (Fri) by giraffedata (subscriber, #1954) [Link] But are you saying you'd be better off if there were no traffic control system? Because I believe that's what dskoll's point is: a patch that adds a feature should be rejected unless it additionally adds documentation to help people use it. There is plenty of open source code I don't use because of lack of quality documentation, but I never fault the person who made the code available to me.
Documentation! Posted Mar 28, 2009 0:59 UTC (Sat) by ras (subscriber, #33059) [Link]
> I never fault the person who made the code available to me.
There is no doubt in this case I _am_ faulting the person who provided the code. Well, to be more accurate, I fault the project. The project should not accept the code without documentation.
Evidently you think this is unreasonable. But my attitude is actually worse, if that is possible - I hold different projects to different standards. I am perfectly happy with a buggy, poorly documented 1000 line utility I found on sourceforge. Yet when it comes to large projects like samba, apache and gcc I expect so much more. I actually expect code and documentation that is at least as good as I get from a commercial vendor. Can you believe that! I actually expect the open source process to produce a better quality product than something I pay money for!
Well unreasonable or not, I write the occasional open source program and I hold myself to those standards. You sort of have to really, because if you produce crap everyone can see it - you ain't some anonymous coder hiding behind an organisation.
Still, I don't produce code as good as I see in the kernel. Patrick, rusty and friends - they hold each other to the highest standards. New code that makes it into the kernel core is usually beautifully written. And the kernel project has a savage review process that ensures it stays that way.
Yet no matter how beautiful the code is, there is no point it if nobody uses it. And that is the situation netfilter finds itself in. Out of all the potential uses it might have it is deployed in, it is in but a fraction of them. This is because figuring out how to use it is a huge effort. Because there is no doco you have to read the source to get a true understanding of how it works. Thus only C programmers who are prepared to troll the kernel and iproute2 source really have a clue. Actually it is even worse than that. In the case of the schedulers the code is (necessarily) so complex the code only gets you part way there. You have to read the original academic papers on the algorithms used. (HTB, being the only scheduler written outside of the kernel team, is the one exception.) The situation is so bad its even defeated all the book writers.
So, returning to the original point, we have arguably the largest open source project of them all, the kernel, churning out code almost no one uses because they don't regard documentation as an important part of the final product. And yeah, I think this means the kernel development process is broken. And yes, I hold the people who drive that development process accountable. They could do so much better.
Documentation! Posted Apr 16, 2009 6:23 UTC (Thu) by zmi (subscriber, #4829) [Link]
It would be *so nice* to have documentation for "tc". I once tried to use
it, but didn't understand it really. There was a package "wondershaper" on SUSE Linux, but still I never managed to do much more than add a port to "higher priority".
Having a clean, logical and documented integration of traffic shaping and
Of the GUI tools I really like "fwbuilder", although it lacks the ability
Nftables: Not addressing VJ channels or userspace tcp Posted Mar 25, 2009 3:11 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
iptables only has a linear ruleset if you choose to make it be linear.
on just about every real-world ruleset I've needed to deal with I was able to split the ruleset up through multiple tables/chains and not only speed up the processing, but make the ruleset smaller and easier to understand.
it's like the complaint about the inability to log and drop in one command. create a separate chain called LOGDROP with two rules, the first unconditionally logs the packet, the second unconditionally drops the packet. then in your rules where you want to log and drop you don't need two conditionals, you just do -j LOGDROP and it does both.
I've had firewall rulesets drop from 2000+ lines to <200 lines by using fairly simple tricks like having one set of rules that just examines the source/destination IP addresses and jumps to another chain that doesn't look at IP addresses, but only considers ports.
very few people seem to realize the power that comes from creating your own chains and splitting different types of checking between them.
nftables could be a significant win on the performance side, but to get there it really should start out by replicating the XXtables functionality that exists today so that users don't _need_ to care about nftables.
Nftables: Not addressing VJ channels or userspace tcp Posted Mar 25, 2009 4:02 UTC (Wed) by ras (subscriber, #33059) [Link]
I agree if nftables is to get up Patrick will have to come up with some transition arrangement. Whether that be iptables and nftables co-existing for a while, or nftables emulating iptables rather like ifconfig is now an emulator is probably a matter of taste.
However, that is just my reading of the political wind. Personally I don't would not care if one day nftables just replaced iptables. It would not be a huge job to just replace my firewalls - if there was documentation.
As for speed, I think that is a minor issue compared to the code duplication. If you really want a fast firewall you could use a u32 ingress filter now for many purposes. And that is a problem. These layers all implementing similar functions bloat the kernel, slow things down and complicate things immensely. Networking is hard enough without having several different ways of doing things.
Nftables: Not addressing VJ channels or userspace tcp Posted Mar 28, 2009 0:04 UTC (Sat) by Nelson (subscriber, #21712) [Link] on just about every real-world ruleset I've needed to deal with I was able to split the ruleset up through multiple tables/chains and not only speed up the processing, but make the ruleset smaller and easier to understand.That's only partially true. Every maintained, real-world firewall, that is run by a more programmery type admin is this way. Just about all the others are complete cluster-Fs. I've seen more than a few firewalls where people started adding special rules for things, with no documentation and then it changes hands, and after a while it's big, ugly, and nobody knows why it does what it does and they're afraid to change it. FWIW, a compiler can optimize those big ugly ones down to the minimal set and they can also optimize them for efficiency. It's just about a perfect compiler problem from a textbook or something.. Since that's the case, while it's nice to let the programmer configure the tables and define why packets should flow through the rules of different ones, but it seems like there is a good case to build that compiler and just solve it for everyone. I've developed a number of products that make use of netfilter in different ways. I like the goals of NFtables. Some of the netfilter plugins are kind of calcified, some are useless, not all are IPv6 compliant; it's worth cleaning it all up and setting a new benchmark.
Nftables: Not addressing VJ channels or userspace tcp Posted Apr 6, 2009 8:14 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
note that I didn't claim that the rulesets _were_ split up cleanly, just that they _could_ be split up cleanly to multiple tables/chains.
the point being that you don't have to throw out the current system to get that, you 'just' need to create the tools to analyse the rulesets and optimize them.
nftables may have some real benefits, but a lot of what's being claimed for it could be done with iptables today, and doing it requires verylimilar tools be written in either case (the difference being if it compiles down to iptables commands or to nftables commands)
it has been commented that iptables was intended to be the assembly language level with the expectation that higher level languages would be written to compile down to it. In practice it is used directly.
it looks like nftables is intended to be the machine language level, making it unsuitable (and effectivly unusable) for admins directly with the expectation that higher level languages will be written to compile down to it.
since the higher level tools were never created for iptables I am concerned that they won't be for nftables, which is why I was calling for the minimum to be a compiler for the existing iptables functions.
people talk a lot about the need for 'high level' firewall/router controls, but as far as I know, nobody has ever produced a usable set of such 'high level' controls. every attempt that I have seen ends up oversimplifying things to the point that they are usable for a very small set of tasks, and as soon as you need _anything_ outside of that set, you have to throw out the 'simple' tool and go back to the low-level tool.
User-space TCP/IP Posted Mar 26, 2009 22:51 UTC (Thu) by zlynx (subscriber, #2285) [Link]
You don't have a problem with firewall. Just as the socket connect, read and write calls for TCP/IP would be handled by a user-space library, the firewall would be as well.
If you do not trust your user-space for some reason, then the thing to do would be to force applications to communicate through a user-space daemon process. You would lose performance, just like forcing graphics apps to use the X server instead of direct rendering.
A separate piece of hardware for doing firewall is usually a better idea and if you care about performance enough, you would have one anyway.
Nftables: a new packet filtering engine Posted Mar 25, 2009 0:07 UTC (Wed) by herge (guest, #57423) [Link]
Will it solve other iptables drawbacks:
- no session replication between two firewalls. - rule-matching should be done only for the first packet of a connection. Actually it is done per packet when using the filter table. While you can do this with PREROUTING, it should be done as a standard. - RELATED state whould be handled natively, ne need to add RELATED rules for this. - matching TIME_WAIT state as a default is dangerous : a short-lived TCP connection will be maintained in the connections' table for too long. - using macro for rule maintenance, as done by pf.
pf and most commercial firewalls perform that way. Iptables' design is way broken.
Nftables: a new packet filtering engine Posted Mar 25, 2009 1:12 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
it is possible to replicate between firewalls
you can match on every packet of the connection. most people don't bother, but all you have to do is to not put 'if established allow' at the top of your ruleset.
the question of what is done automaticaly and what should be done explicitly can be argued forever, I see this as significantly weakening your RELATED complaint.
where does it match TIME_WAIT by default?
as for macros for rule management, with iptables you can use whatever tools you want in userspace to create your rules.
the things you are listing as drawbacks don't seem as drastic to me as they seem to appear to you.
Nftables: a new packet filtering engine Posted Mar 25, 2009 10:50 UTC (Wed) by herge (guest, #57423) [Link]
where does it match TIME_WAIT by default?
# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait 120
Once a connection has reached the TIME_WAIT state, it will be kept in the connection table for 120s.
Nftables: a new packet filtering engine Posted Mar 25, 2009 2:16 UTC (Wed) by bduncan (guest, #6886) [Link]
iptables had many more drawbacks and I ended up sticking with ipchains for as long as I could. One of the worst was the way it broke logging. Many other issues like the way forwarding was broken making common rules (for both the router as well as the routees) more difficult.
I for one, am eagerly awaiting nftables!
Nftables: a new packet filtering engine Posted Mar 28, 2009 3:57 UTC (Sat) by rusty (✭ supporter ✭, #26) [Link]
> Will it solve other iptables drawbacks:
> - no session replication between two firewalls.
Well, that's not really a core iptables responsibility, IMHO.
> - rule-matching should be done only for the first packet of a
Um, this is pretty trivial to set up. You probably want something like:
Then put your rules in the NEWPKTS chain. (For simpler setups, you
> - RELATED state whould be handled natively, ne need to add RELATED rules for this.
But if someone wants to log related packets, such an implicit rule would be a PITA.
> - matching TIME_WAIT state as a default is dangerous : a short-lived TCP
There's an argument that the assured bit should be reset for TIME_WAIT conns (which makes the eligible for reaping if we need to make space), but you have to keep tracking conns through TIME_WAIT; the state is there in TCP for a reason!
> - using macro for rule maintenance, as done by pf.
This, I think, is your real issue: iptables is too low-level. I agree, but it was a deliberate decision to leave building the higher levels to someone else. As I've alluded elsewhere, it didn't really work.
> pf and most commercial firewalls perform that way. Iptables' design is
See above.
Hope that clarifies,
Scope for porting to network processors Posted Mar 25, 2009 2:37 UTC (Wed) by alex (subscriber, #1355) [Link]
This is certainly an interesting approach. I wonder what sort of scope
there would be for porting the virtual nftables code to a network processor? A lot of high end networking hardware works with custom networking processors (CPU's tuned to packet inspection/direction).
On a slightly un-related note is the nftables VM sufficient enough to
Scope for porting to network processors Posted Mar 25, 2009 3:32 UTC (Wed) by kaber (subscriber, #18366) [Link]
I intend to add support to use it for TC classification. But it won't do shaping itself, the classifiers will be attached to qdisc classes as today.
Traffic shaping Posted Mar 26, 2009 20:27 UTC (Thu) by dion (subscriber, #2764) [Link]
Linux traffic shaping is a complete disaster area, anything that can be done to get it under some sort of control is good.
I've had the displeasure of having to set up traffic shaping on a couple of occasions and every time I had to read tons of incomplete documentation and outdated documentation.
I realize that there's always the danger of designing something like this to death, but it would be very cool if a proper, userfiendly integration with traffic shaping could be baked in this time around, the gulf between tc and iptables has been a an absolute catastrophe wrt. usability, mindshare and documentation.
Traffic shaping Posted Mar 27, 2009 18:35 UTC (Fri) by kaber (subscriber, #18366) [Link]
Yes, I really want to have something useable for both myself.
I agree on the "designing to death" risk, but this is something that affects the API and because of that needs to be considered from the beginning. I'm about to finish the second-to-last missing part of the API (an API for maintaining sets independently of rules), hooking it up to TC will be the next and probably last bigger part.
Traffic shaping Posted Mar 27, 2009 23:37 UTC (Fri) by rmayr (subscriber, #16880) [Link]
And please, please, *please* hook into ingress shaping as well. Yes, IMQ had bad code
quality, but it was understandable from a user point of view. IFB isn't and it doesn't work in many cases important in practical scenarios. I have been dealing with ingress shaping for the past 2 years and managed to get many Linux gateways deployed because of the flexibility that combining netfilter marks with IMQ gave me. IFB so far doesn't seem to be a capable replacement, and IMQ is broken with >= 2.6.27.
Traffic shaping is becoming more important by the month. It's time to let it become
Traffic shaping Posted Mar 28, 2009 13:25 UTC (Sat) by dion (subscriber, #2764) [Link]
I'd *so* like to second that! I've had the displeasure of having to do downstream traffic shaping systems with several downward interfaces and that means having to deal with an IFB interface or the silly limitations Linux has on ingress shaping at the moment.
Why is it that I can't simply pipe traffic via a queue from any arbitrary firewall rule?
Scope for porting to network processors Posted Mar 26, 2009 0:05 UTC (Thu) by Thalience (subscriber, #4217) [Link]
The difficulty of running the nftables VM on a specialized filtering processor would depend entirely on what is the native instruction set for said processor.
Scope for porting to network processors Posted Mar 28, 2009 20:03 UTC (Sat) by jzbiciak (✭ supporter ✭, #5246) [Link]
It'd probably be more interesting to try to cross compile to the native instructions of such a processor.
Nftables: a new packet filtering engine Posted Mar 25, 2009 11:31 UTC (Wed) by job (guest, #670) [Link] An excellent article, as always. Nftables is one of those things I really wanted to take a look at "any day now". As a user/sysadmin, these are the main problems I have with iptables and friends:
It would also be desirable to use table lookups for large rulesets to improve performance. Nftables seems to be an interesting development. My immediate worries are that Using a byte code interpreter in the kernel is a very dangerous path. It's like a do-everything-syscall, opaque and hard to understand. Also, what about the connection trackers such as FTP, SIP etc.? Shall they be called from bytecode or reimplemented? They also contribute to duplicated code.
Nftables: a new packet filtering engine Posted Mar 26, 2009 1:37 UTC (Thu) by gdt (subscriber, #6284) [Link] My immediate worries are that Using a byte code interpreter in the kernel is a very dangerous path. It's like a do-everything-syscall, opaque and hard to understand. I think a byte code interpreter would be more secure than the current situation, where people who want to get a particular protocol supported have to write a netfilter module. If you think the user-space documentation for iptables hasn't been maintained for years, well the netfilter documentation is much worse. Compared with new kernel authors writing modules which can access any kernel memory or service using under-documented APIs -- a byte code interpreter looks sane: it limits the memory accessed, it talks the language of networking rather than the kernel, it has a limited API, and it has no locking or other kernel-specific difficulties. Sure, a byte code interpreter makes it possible to do the wrong thing with a syscall. But that wrong thing can't do anything but access and manipulate packets. It can't cause the kernel to crash and die like a poor netfilter module.
Nftables: a new packet filtering engine Posted Mar 26, 2009 17:06 UTC (Thu) by samroberts (subscriber, #46749) [Link]
BPF as used by tcpdump is already a byte-code interpreter in the kernel,
and pre-existed iptables. It does matching, but doesn't have actions.
I find it interesting that the lwn article and what little info I saw
And why the firewalling didn't take a BPF-like approach with an opcode
Nftables: why it isn't based on BPF Posted Mar 27, 2009 6:55 UTC (Fri) by speedster1 (subscriber, #8143) [Link]
From Patrick's blog entry (mentioned in article)
http://people.netfilter.org/kaber/weblog/2008/08/20/
A very important feature, one that is missing from all other filters that are built similar in the kernel (like BPF, TC u32 filter, ...), is reconstruction of high level constructs from the representation within the kernel. TC u32 for example allows you to specify "ip daddr X", but when dumping the filter rules it will just display an offset and length.
Nftables: a new packet filtering engine Posted Mar 27, 2009 18:14 UTC (Fri) by kaber (subscriber, #18366) [Link]
The BPF interpreter isn't too useful for this case since you can't update an BPF program incrementally and the filter size is limited to 64k. Its also too limited in many other aspects.
Nftables: a new packet filtering engine Posted Mar 28, 2009 17:21 UTC (Sat) by yoduh (guest, #38527) [Link]
Can you elaborate on these differences for us fresh readers of the bpf-usenix93 paper? Your VM sounds close enough to BPF++ to perhaps describe it in those terms. Both limitations you cite (no incremental update, 64k) sound like implementation decisions made when the goal was picking 1 in 100000 packets, not disposition of every one of them; ie not hard limits.
Nftables: a new packet filtering engine Posted Apr 3, 2009 18:22 UTC (Fri) by trasz (guest, #45786) [Link]
Actually, at least in FreeBSD, bpf is not just a bytecode interpreter - it employs JIT.
Nftables: a new packet filtering engine Posted Mar 25, 2009 15:48 UTC (Wed) by mgedmin (subscriber, #34497) [Link]
I always thought "ipfw" was the name of the mechanism, and "ipfwadm" the name of the userspace tool for controlling the mechanism.
Does it have _real_ subroutines? Posted Mar 27, 2009 14:26 UTC (Fri) by Yenya (subscriber, #52846) [Link]
My biggest problem with IPtables is, that it does not support real subroutines. You can use user-defined chains to factor out most of the common code, but there is no way to make them "local". I.e. to be able to say "call this chain, and when the result is DROP, DROP the packet. Otherwise, (for every other decision including ACCEPT), continue further".
I have an IPtables firewall routing between about 9 vlans, some of which have the security status of "outside world", other having various levels of security (currently I have >1600 iptables rules, and some of the filtering - like blacklisting some IP address blocks - is done on the iproute2 "ip rule" level outside iptables). There is no way how can I say "treat such and such traffic outgoing from one of my VLANs as legal, but consult further the rules for the destination machine on the other VLAN", without replicating some of the rules and without being _extremely_ careful about not calling ACCEPT in some chains.
Also, would the interpreted filtering have any performance impact? I am currently able to route about 1.5 Gbit/s of traffic with those >1600 rules on a dual-CPU opteron box. Would nftables be able to handle it as well?
Does it have _real_ subroutines? Posted Mar 27, 2009 18:26 UTC (Fri) by kaber (subscriber, #18366) [Link]
Actually you should be able to do that, DROP is an absolute verdict and terminates ruleset evaluation. So is ACCEPT, but you can use CONTINUE or RETURN to continue in the calling chain. The goto option might also be useful if you want to return to a higher chain.
About performance: the current version is missing some optimizations and is noticably slower than iptables with linear classification. I have a few optimization patches that inline small aligned data loads and comparisons into the main evaluation loop, which results in about equal performace to iptables (it can't be compared directly).
Where nftables gives better performance is when you're able to restructure your rulesets to make use of sets and jump and data maps to reduce the amount of rules evaluated for each packet. Sets are pretty obvious I guess, with jump maps you can structure your ruleset as a tree and have efficient classification in the nodes. Data maps allow you collaps similar rules than differ only in the target, f.i.:
iptables ... -i vlan0 -j SNAT --to-source ip1
becomes
nft ... snat map meta iif { vlan0 => ip1, ..., vlanN => ipN }
Does it have _real_ subroutines? Posted Mar 27, 2009 21:00 UTC (Fri) by Yenya (subscriber, #52846) [Link]
What I would like to have is not a goto, RETURN or CONTINUE, but something like try { } catch { }. I.e., to be able to tell where to RETURN from the _calling_ side, not from the possibly deeply nested user chains. Only from the calling side I can be sure that some underlying rule cannot do something unexpected.
Please, please, PLEASE merge this! Posted Apr 2, 2009 10:02 UTC (Thu) by ringerc (subscriber, #3071) [Link]
One thing that WASN'T mentioned in the above is that nftables:
- Can quickly and efficiently compile and load rules from a single simple file without hundreds or thousands of invocations of the `iptables' process
- Can implement sane error handling for rule definition; and
- Can potentially TRANSACTIONALLY APPLY RULE CHANGES
*PLEASE* merge this. I've wanted these capabilities for so long - iptables' userspace interface is SO awful to work with.
Please, please, PLEASE merge this! Posted Apr 2, 2009 10:36 UTC (Thu) by mgb (guest, #3226) [Link]
Have you tried iptables-restore?
Please, please, PLEASE merge this! Posted Apr 3, 2009 18:24 UTC (Fri) by trasz (guest, #45786) [Link]
I.e. pftables can do a few more things BSD users had available (with pf) for... how many, five years
now? ;-)
Nftables: a new packet filtering engine Posted Apr 2, 2009 10:45 UTC (Thu) by jengelh (subscriber, #33263) [Link]
>that is part of why there are actually three copies of the iptables code in the kernel.
_Four_ of them: ip, ip6, arp, eb.
And the kickoff for the mess is that someone decided to do a parallel copy, from struct ipt_ip to ip6t_ip6 instead of creating a higher level that could contain either ipt or ip6t as sub-data. (E.g. footabels -m ip6t) Then lots of the table management mess could have been avoided.
Nftables: a new packet filtering engine Posted Apr 3, 2009 5:40 UTC (Fri) by ejmarkow (guest, #56170) [Link]
Rather than reinvent the wheel, OpenBSD's excellent PF (Packet Filter) firewall should just be ported and used for Linux and have it replace Iptables. As a former FreeBSD and current Arch Linux user, a firewall similar to PF is an essential item currently lacking in Linux. Otherwise, I support the implementation of Nftables if it's going to be a vast improvement.
Nftables: a new packet filtering engine Posted Apr 3, 2009 13:02 UTC (Fri) by nix (subscriber, #2304) [Link]
Other comments to this article have pointed out that pf has fewer features
than iptables, so porting (really 'reimplementing') it isn't something that's terribly likely to happen.
Nftables: a new packet filtering engine Posted Apr 3, 2009 18:18 UTC (Fri) by xorbe (subscriber, #3165) [Link]
This sounds about as useful to me as SELinux...
Nftables: a new packet filtering engine Posted Apr 4, 2009 18:56 UTC (Sat) by mjcoder (guest, #54432) [Link]
Hehehehe, so we have a VM in the Linux kernel. What about the LLVM, or .NET VM (mono) or even Java? This would have the nice side-effect of having a JITted network filter application. (Don't take this too serious ...)
Nftables: a new packet filtering engine Posted Apr 4, 2009 20:02 UTC (Sat) by nix (subscriber, #2304) [Link]
We have several VMs in the kernel already: e.g. there's one for ACPI.
Nftables: a new packet filtering engine Posted Apr 6, 2009 15:49 UTC (Mon) by kanchev (guest, #42519) [Link]
Why not LLVM? It's not just a VM, it's a compiler framework. You'll just need to develop a proper frontend which parses the nftables syntax and a backend which generates bytecode for the kernel VM. As a bonus you'll get the LLVM optimizations.
|
|||||||||||||