Looking for a good nft tutorial

richb-hanover-priv · August 22, 2022, 12:26pm

Someone sent me a set of nft commands, which seemed to work. But I can't find much of an explanation of what they do.

Is there a good tutorial for the basics of nftables? I assume that OpenWrt's implementation is identical to every other, so links to any good one would be appreciated. Thanks.

Lynx · August 22, 2022, 12:41pm

Agreed; it's time for the Jedi Masters to share their secrets.

_bernd · August 22, 2022, 3:45pm

https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes

The wiki might seam's to be confusing at first sight but is actually quiet good.

richb-hanover-priv · August 22, 2022, 9:46pm

I have seen that page. But it doesn't even answer the question: How can I see the rules that are in place now?

The best my Google-fu could do is: https://www.mankier.com/8/nft that says:

nft list ruleset

But then how do I interpret the output? Links appreciated. Thanks all...

_bernd · August 22, 2022, 10:53pm

Are you aware that you did not have asked this question? Did you (at least) tried to read the articles which are linked on the front page of that wiki?

If you do not ask any specific question or show rules where you have struggles no one is able to help you...

richb-hanover-priv · August 23, 2022, 12:18am

Yes, I did try to read some of the articles. My sense was that they were written as a cheat-sheet for someone who already knows how the system works.

I'm a newcomer to nftables. And so my original question still stands:

So far, the answer seems to be, "No." I would love to be proven wrong by having someone provide links. Thanks.

spence · August 23, 2022, 12:58am

I also need intro material to read. I just found this one and it looks decent:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/getting-started-with-nftables_firewall-packet-filters

We may have to look to books to get more basics, background and theory etc. ...Or perhaps look for basics in documentation for iptables and then work from there to transfer knowledge into working with nftables.

_bernd · August 23, 2022, 6:36am

I might asked again: what is your struggle? The wiki explains tables and chains and rules. It also explains how to use advanced concepts like vmaps, sets and how you should organize your ruleset.
Are you looking for basic firewall rules? Are you searching how the Linux packet filtering system works?
Just throwing a "I'm looking for explanation" without saying for what will not bring any benefits.
The web is full of 5 minute introductions. The arch wiki contains an okish overview what rules you might want on a workstation. And so on.

But back to your initial post: you said you have gotten rules you do not understand. The 10 min introduction is a cheat sheet for quick lookup of options. But you still failed to provide rules which you do not understand. And again you have not asked for an introduction you have asked about specific rules. So the reader would assume you have a basic understanding how a firewall on Linux works in general...

So my last try: what rules do you have which you do not understand? Or provide the full rule set with inline comments what is unclear to you.

Lynx · August 23, 2022, 8:05am

@_bernd I would like to push back a little here on your position and tone because I feel the same way as @richb-hanover-priv.

It is a well-recognised phenomenon that highly technically minded individuals are often not well suited to communicating or describing technical subject-matter in a manner that facilitates a rapid understanding by others. In my work I often have to form a bridge between inventors and the provision of a technical description of inventions, and so I experience this first hand.

I do not think that the nftables wiki provides a good introduction or overview for those not familiar with nftables or perhaps even not familiar with iptables. Like @richb-hanover-priv indicated it seems to assume a great deal of background knowledge.

@richb-hanover-priv asked for:

and I would like one too.

I came across this:

and found that fairly helpful.

The OpenWrt wiki in general leaves a lot to be desired as compared to the quality of, say, the ArchLinux wiki.

Let's take a look at the OpenWrt page on nftables:

It clearly needs a lot of work. Will it get it? Probably not any time soon. I would be willing to help, but to contribute requires understanding and gaining understanding is the problem we face!

By way of what I think is a helpful comparison, consider by contrast the Archlinux wiki:

https://wiki.archlinux.org/title/nftables

The OpenWrt wiki entry for nftables leaves a fair amount to be desired and lacks practical assistance for basic concepts like, for example, how to add a custom table. Taking the latter example, as far as I can tell, an explanation for that is buried in a comment on a GitHub issue here:

github.com/openwrt/openwrt

firewall4: design shortcomings in fw4 custom filter chains

opened 11:43AM - 02 Jun 22 UTC

closed 04:14PM - 14 Jul 22 UTC

Shine-

core packages

### Problem description: fw4 custom filter chains ("10-custom-filter-chains.n…ft" or "*.nft") have some logic/design issues. Below are two example cases, and I'm sure there are more. ### Case 1: Background: Firewall rules should always be processed from top to bottom. If one rule is matched, processing should end, so the matched rule can come into effect. This works fine as long as you remain within **only one nft chain**. As soon as you add additional chains, nft behaves differently. A "Drop" rule in any chain will render all "Allow" rules in all previous (lower priority) chains void. This is due to nft's behavior of continuing to process any later chains, even if a rule matches, **until** a Drop is found. So the "top to bottom" approach suddenly applies only to "Drop" rules, not to "Allow" rules anymore. Consequently, this renders fw4's "*.nft" files - which can add additional chains, but not any additional rules in the default chain - quite useless, because they can only be used for "Drop" rules, not for "Allow" rules. ### Problem for Case 1: Due to the nft behavior with multiple chains, at this time, the user doesn't have a possibility to add custom "Allow" rules to fw4. This especially prohibits the user from configuring fw4 like a proper network firewall should be configured: Deny everything unless explicitly allowed - since the "Deny all" last rule will override any previous "Allow" rules from any lower priority chains! ### Case 2: Background: In a stateful firewall, flows that are already handled by a firewall rule should not be sent through the whole rulebase processing again, as this would mean wasting CPU cycles and therefore slowing down firewall performance. This works fine, as long as the default fw4 chains are the **only** chains used. These chains contain an "Accept" rule for "established,related". As soon as the user adds additional chains (without own "established,related" rules), these complete chains are processed for every packet. As already described in Case 1, this re-processing will repeat for each and every chain, as an "Accept" rule will not stop processing later chains. ### Problem for Case 2: By adding simple additional rules as separate nft chains, instead of within the default chains, performance will suffer. ### Suggestion: "*.nft" files aren't currently useful for the purpose one would suppose: quickly adding additional firewall rules that aren't supported in uci/LuCI syntax. While Case 2 is just "inconvenient", but can be solved by adding "established,related" rules to each chain, I don't see how Case 1 can be solved in the current state of fw4 at all. The possibility of adding complete additional nft chains might be useful for special purposes. It is, however, not a feasible way of quickly adding custom firewall rules. Therefore, it should not be the **only** possible way of customizing the fw4 ruleset. Rather, the user should be given an easy possibility of customizing the fw4 default chains, without having to think of all side effects and limits that he might have when using separate nft chains. After all, the standard OpenWRT user, or even the OpenWRT Power User, is not a nft expert!

And even then the default behaviour is that if the firewall does not properly load owing to a typo in a config file or similar the user cannot even access his OpenWrt system on reboot without entering failsafe mode. Ouch!

In general improved knowledge sharing is an area that I think the OpenWrt project as a whole could benefit from. The wiki is surely an important and promising avenue for such improvement, and of course that requires willing volunteers and improving the culture in respect of documentation. Not easy, but I hope this may get better with time.

dave14305 · August 23, 2022, 11:23am

In my experience, the best tutorial is to read and understand a well-documented nftables ruleset (see many of dlakelan’s threads and github repo). nftables is not well-understood yet compared to iptables, and is still under active development by the Netfilter team, so existing tutorials get stale quickly.

Isn’t firewall3/firewall4 meant to insulate less technical users from the intricacies of iptables/nftables? Once firewall4 becomes part of a stable release, I would expect the firewall wiki documentation to be updated for the changes since firewall3.

richb-hanover-priv · August 23, 2022, 12:00pm

The simplest answer is: ENOTIME. That is, like most people on the Forum, I have limited time to learn about new technologies. As a forty-year network professional, I am confident that I could take 2-5 hours to read through the first results from Google and learn about nftables.

But why should I? (And more to the point, why should every other reader of the Forum?) One big advantage of having a community of techies is that we can share tips, secrets, or ways to learn about a new topic, especially if those links point to information that's known to be correct for OpenWrt.

My fond hope is to find a page that says, "Look. Here is what you need to know about this stuff. Here's the lingo, here's what those terms mean, here's what happens when a packet arrives..."

It's OK if no such page(s) exist. But it's not wrong for me to ask the Forum if anyone has links.

richb-hanover-priv · August 23, 2022, 12:01pm

Sounds like a good resource. Would you provide links?

dave14305 · August 23, 2022, 12:35pm

Most of the threads are focused on DSCP for QoS, but all include a sound basic nftables firewall. These were written before firewall4 was available.

_bernd · August 23, 2022, 2:05pm

In 2 to 5 hours you are able to read the nftables wiki cover to cover. Twice.
Then there is the man page for nftables.
If you are familiar with the concept of tables and chains you should have not that of a hard time.
I can only repeat my point: you said you have issues understanding a ruleset but you did not shared it so how could anyone point you in a specific direction?

summers · August 29, 2022, 12:44pm

For my sins, I did write most of the openwrt page on nft : https://openwrt.org/docs/guide-user/firewall/misc/nftables - this was just done quickly, as previously it was largely empty, and I just wanted something in place to show how to get it working on openwrt, and not to go into the details of nft. I've updated it on major releases, but only made the minor changes needed for that release.

Also gut feeling, when the 22.03 version of openwrt comes out - it will need a more major rewrite, as 22.03 with fw4 is nftables based. I'll probably still keep the above page, as how to do nftables from a file - as speaking just for myself, I like that format.

As to how to learn nftables, well I'm not an expert by any means. Me though I learnt the structure of it direct from the nftables web site wiki; and learning the structure of tables, containing chains, containing rules is critical.

Learning the various rules, well the wiki again is place to start. But I also found nft describe to be critical if you want exactly what is possible. E.g. to get the full options of oiftype then nft describe oiftype gives them; I found nft describe to have some things in it, that I've not seemed documented elsewhere.

And I'm sorry this isn't a completely clear introduction. Alas, I haven't yet found a good introduction. So think there is space for some to write one!

richb-hanover-priv · August 29, 2022, 1:21pm

This is a perfect (although somewhat disappointing) answer to the question - there doesn't appear to be a decent tutorial for nftables. Drat. But I can stop Googling...

I completely understand your "... for my sins..." comment You realized that somebody needed to write some documentation, and that "somebody" turned out to be you. I applaud you, and there's no need to apologize. Thanks.

dlakelan · August 29, 2022, 1:49pm

Hi rich, when I started with nftables (about 2014-2015?) I used Arch Linux guides to get going and then nftables wiki for more details.

https://wiki.archlinux.org/title/nftables

richb-hanover-priv · August 29, 2022, 3:59pm

This is certainly the kind of document I was looking for. Thanks!

spence · August 29, 2022, 6:23pm

Someone, @ldir, in another thread shared a link to what looks like an excellet write-up on the connection tracking aspect of nft. A 3 part series so far.
Link to that thread post:
https://forum.openwrt.org/t/nftables-and-qos-in-2021/112013/565

Quote from that post:

https://thermalcircle.de/doku.php?id=blog:linux:connection_tracking_1_modules_and_hooks goes into more depth than my mind can cope with.

richb-hanover-priv · September 8, 2022, 6:23pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.