Fw4 and nft rule assistance request

oskari.rauta · March 15, 2022, 8:41am

Hello.

I have a box running with master version, so it uses fw4.
I have set up a nft-set with type of ipv4_addr and I'd want to drop/reject all ip's on it from accessing device from wan (I have a web service running)..

But I have some difficulties... fw4 seems to use on only inet table, so it would be wise to stay on it..

nft add set inet fw4 blacklist { type ipv4_addr\; comment \"my blacklist\" \; }
nft add element inet fw4 blacklist { 101.101.101.101, 101.101.101.102 }

and then..

nft add rule inet fw4 input ip saddr @blacklist drop

But that goes nowhere.. I also tried few other chains with luck as good as with this one.. Also with just ip instead of set, it works just as fine..

nft add rule inet fw4 input ip saddr 101.101.101.101 drop

IP addresses used in this example is imaginary for demonstration purposes only and ip addresses were not harmed during this post..

dave14305 · March 15, 2022, 2:36pm

Have you tried to implement using the firewall uci syntax instead? You would still use the ipset keyword to create and match an nftables set.

oskari.rauta · March 15, 2022, 3:09pm

I tested to add a rule also that blocks certain ip but that didn't work out either.
But I tested it only to see how it is shown in nftables, but it wasn't useful as it didn't work.

I do not have iptables/ipset utility at all and won't; it's not useful, I am creating a small project similar to banip, except it's written in c++, is a bit expanded version and uses nft instead of iptables/ipset. So it utilises libnftables, not shell executables - so I cannot use ipset for this.

There are some quite good documents/tutorials available for use of nftables, but most of them aren't working with stock fw4, as fw4 manipulates nft to only use inet table - and what it is worth, it won't work out either as in those samples, a really simple firewalling is used; after fw4 you get tons of chains....

oskari.rauta · March 15, 2022, 3:54pm

Answering to my own question: I got it.

All this can be done using nft command-line utility, but actually easiest way is to use files in /etc/nftables.d

But let's do it by hand first, as that's what I asked..

# add set first, this line can be skipped if you want to drop from a single ip only
nft add set inet fw4 blacklist { type ipv4_addr\; comment \"my blacklist\" \; }

# then add chain
nft add chain inet fw4 blk_chain { type filter hook forward priority -1\; policy accept\; }

# and finally, add rule.. If you want to drop only from one static ip- replace @blacklist with ip address
nft add rule inet fw4 blk_chain ip saddr @blacklist drop

fw4 rules are applied with priority 0 and as our priority here is set -1 and our chain hooks to forward, it's through this filter first then.

Easier way though, is to create a file in /etc/nftables.d/09-blklist.nft:

set blacklist {
	type ipv4_addr;
	comment "blk";
}

chain blk_chain {
	type filter hook forward priority -1; policy accept;
	ip saddr @blacklist drop;
#	ip saddr 101.101.101.101 drop;
}

Not that hard after all when you realise order of ruling and forget about manipulating already existing rules.

dave14305 · March 15, 2022, 8:02pm

This should be @blacklist so anyone using this example in the future gets it correct. Thanks for sharing it!

oskari.rauta · March 15, 2022, 8:15pm

Thanks, I forgot to rename that when pasted this from my testing environment to better name for this example.. I fixed it.

system · March 25, 2022, 8:16pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.