nftablesã§acceptã¨dropã«ãƒžãƒƒãƒã™ã‚‹ã¨dropã«ãªã‚‹å•é¡Œ
nftablesを使ã£ã¦ã‚‹ã¨ã€accept ã—ã¦ã‚‚ä»–ã®ãƒ†ãƒ¼ãƒ–ルã§reject(drop)ã•ã‚Œã¦ã—ã¾ã†ã“ã¨ãŒã‚る。
複数テーブルã§accept 㨠dropãŒæ··åˆã—ã¡ã‚ƒã†
例ãˆã°ã€tableAã¨tableBã«forwardã®è¨±å¯è¨å®šã‚’書ãã‚ã‘よ。tableAã§Acceptã—ã¦ã‚‹ã®ã«ã€tableB㧠reject ã•ã‚Œã‚‹ã‹ã‚‰ã€çµæžœã¨ã—㦠reject ã«ãªã£ã¡ã‚ƒã†ã€‚
table ip tableA {
chain forward {
type filter hook forward priority filter; policy drop;
iifname br0 oifname eth1 ip6 daddr 1.1.1.1 accept comment "# cf"
jump handle_reject
}
}
table inet tableB {
chain forward {
type filter hook forward priority filter; policy drop;
$RULE_A accept
jump handle_reject
}
}
8.8.8.8ã¸ã®forwardを許å¯ã™ã‚‹ä¾‹ã¨æ‹’å¦ã™ã‚‹ä¾‹ã‚’åŒæ™‚ã«å…¥ã‚Œã‚‹ã€‚
例ãˆã°ã€8.8.8.8 ã¨ã®é€šä¿¡ã‚’許å¯ï¼ˆAccept)ã¨æ‹’å¦ï¼ˆReject)をåŒæ™‚ã«å…¥ã‚Œã‚‹ã¨ã©ã†ãªã‚‹ã‹ã‚’見ã¦ã¿ã‚ˆã†ã€‚
å…ˆã«çµæžœã‚’è¿°ã¹ã¦ãŠã㨠accept & rejectã¤ã¾ã‚Šã€true & false ã¨ãªã‚Šçµæžœã¯false(拒å¦ãƒ»REJECT)ã«ãªã‚‹
8.8.8.8 ã‚’forward accept ã™ã‚‹
nft create table ip allow8888
nft create chain ip allow8888 forward { type filter hook forward priority filter\; policy drop\; }
nft add rule ip allow8888 forward iifname br0 oifname wan0 ip daddr 8.8.8.8 counter accept
nft list table ip allow8888
8.8.8.8 ã‚’forward reject ã™ã‚‹
nft create table ip deny8888
nft create chain ip deny8888 forward { type filter hook forward priority filter\; policy accept\; }
nft add rule ip deny8888 forward iifname br0 oifname wan0 ip daddr 8.8.8.8 counter reject
nft list table ip deny8888
パケットé€ã‚‹ã¨reject(unreachable)ã«ãªã‚‹
PS C:\Users\takuya> ping 8.8.8.8 Pinging 8.8.8.8 with 32 bytes of data: Reply from 192.168.1.1: Destination port unreachable. Reply from 192.168.1.1: Destination port unreachable. Reply from 192.168.1.1: Destination port unreachable. Reply from 192.168.1.1: Destination port unreachable.
カウンタçµæžœã¯æ¬¡ã®ã‚ˆã†ã«ãªã‚‹ã€‚
table ip deny8888 {
chain forward {
type filter hook forward priority filter; policy drop;
iifname "br0" oifname "wan0" ip daddr 8.8.8.8 counter packets 8 bytes 520 reject
}
}
table ip allow8888 {
chain forward {
type filter hook forward priority filter; policy drop;
iifname "br0" oifname "wan0" ip daddr 8.8.8.8 counter packets 8 bytes 520 accept
}
}
カウンタçµæžœã‚’見るã¨ä¸€ç›®çžç„¶ã ãŒã€ä¸¡æ–¹ã®ã‚«ã‚¦ãƒ³ã‚¿ãŒå›žã£ã¦ã„る。ã™ãªã‚ã¡ã€ãƒ‘ケットã¯æ£ã—ã処ç†ã•ã‚Œã¦ã„る。Acceptã•ã‚ŒãŸã‚ã¨ã«RejectãŒè©•ä¾¡ã•ã‚Œã‚‹ã®ã 。
ã“ã‚Œã¯Priorityã ã‚ã†ã¨æ€ã†ã‹ã‚‚ã—れ無ã„ãŒã€å„ªå…ˆåº¦ã‚’変ãˆã¦ã‚‚çµæžœã¯åŒã˜ã§ã‚る。accept ãŒå…ˆã«å‡¦ç†ã•ã‚Œã¦ã‚‚ã‚ã¨ã‹ã‚‰Rejectã•ã‚Œã‚‹ã—ã€Rejectã‚’å…ˆã«ã™ã‚‹ã¨Acceptã¾ã§åˆ°é”ã—ãªã„。
ã¨ã„ã†ã“ã¨ãªã®ã§ã€ãƒ–ãƒãƒƒã‚¯ã•ã‚Œã‚‹ãƒ«ãƒ¼ãƒ«ã®ç›´å‰ã«ãƒ«ãƒ¼ãƒ«ã‚’å·®ã—込む必è¦ãŒã‚る。
ã©ã†ã—ãŸã‚‰ã„ã„ã‚“ã 。nftables。accept箇所ã®å…ˆã‚‚ã‚ã‚‹ã‚“ã 。Acceptã§ã¯ç§»è¡Œã‚’スã‚ップã§ããªã„ã‚“ã æ¢ã¾ã‚‰ã„ã‚“ã 。ã©ã†ã™ã‚Œã°è‰¯ã„ã®ã‹ã€‚
ã¡ã‚ƒã‚“ã¨ã€insert ã—ã¦æŒ‡å®šå ´æ‰€ã«çªã£è¾¼ã‚€ã—ã‹ç„¡ã„。
ã‚ã‚“ã©ãã•ã„ã“ã¨ã“ã®ä¸Šãªã„ãŒã€ã¡ã‚ƒã‚“ã¨ãƒ«ãƒ¼ãƒ«ã‚’INSERTã—ã¦æŒ‡å®šå ´æ‰€ã«å·®ã—込む必è¦ãŒã‚る。
ãã†ã™ã‚‹ã¨ã€ã“ã‚“ã©ã¯forwardã«ãƒ«ãƒ¼ãƒ«ãŒé›†ä¸ã—ã¦ã—ã¾ã†ã€ãã—ã¦jump ãŒã‚ã‚‹ãŸã‚ã«ã€è¿½ã„ã‹ã‘ã‚‹ã®ãŒæ›´ã«é¢å€’ã«ãªã‚‹ã€‚
forwardを見ã¦ã‚‚jump ã€jump jump jump ã®å¤šæ®µJumpãŒå¤§é‡ã«è¨˜è¼‰ã•ã‚Œã‚‹ã“ã¨ã«ãªã‚Šã€iptablesより追ã„ã‹ã‘ã‚‹ã®ãŒé¢å€’ã«ãªã‚Šãƒ»ãƒ»ãƒ»
å›°ã£ã¡ã‚ƒã†ã‚ˆã€‚nftables
jump 追ã„ã‹ã‘ã‚‹ã®ãŒé¢å€’。
複数テーブルã¨è¤‡æ•°ã®ãƒã‚§ã‚¤ãƒ³ãŒã‚ã‚‹ã®ã§ã€è¿½ã„ã‹ã‘ã«ãã„。ã©ã“ã§Dropã•ã‚Œã¦ã‚‹ã®ã‹ã¯counterを入れã¦èª¿ã¹ã‚‹ã“ã¨ãŒã§ãる。jump ã•ã㧠jump ã•ã‚Œã¦ã—ã¾ã†ã¨è„³å†…メモリãŒè¿½ã„ã¤ã‹ãªã„。
ã—ã‹ã—ã€drop ã•ã‚Œã¦ã„るルールを回é¿ã™ã‚‹ã®ã¯ã‚ã‚“ã©ãã•ã„。
nftables test dump ã¿ãŸã„ãªã‚³ãƒžãƒ³ãƒ‰ãŒã»ã—ã„。ã©ã®jumpを通ã£ã¦ã©ã“ã«ãƒžãƒƒãƒã—ã¦drop/rejectã•ã‚Œã¦ã‚‹ã®ã‹è¿½ã„ã‹ã‘ã‚‹ã®ãŒå¤§å¤‰ã よ。
nft monitor trace
一応ã€nft monitor 㨠meta nftrace set 1 ã§è¿½ã„ã‹ã‘ã‚‹ã“ã¨ãŒã§ãã‚‹ã®ã ãŒã€‚
nft add chain inet fw4 filter { type filter hook prerouting priority -301\; }
nft add rule inet fw4 filter trace_chain meta nftrace set 1
nftace ãŒãªã‚“ã‹å‹•ã‹ãªã„ã‚“ã§ã™ã‚ˆãã‡ã€‚
Error: syntax error, unexpected meta add rule inet fw4 filter trace_chain meta nftrace set 1
ã‚‚ã—ã‹ã—ãŸã‚‰ã€ã‚«ãƒ¼ãƒãƒ«ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«ï¼Ÿï¼Ÿ
counterã§åœ°é“ã«è¿½ã„ã‹ã‘ã¦ã‚‹ã‘ã©åœ°ç„。。。
