表达式

• accept、drop、queue、continue、return、jump chain、goto chain
• masquerade - 源地址自动设置为出口地址
• type
  • filter、route、nat

family	-
ip	IPv4 - 默认
ip6	IPv6
inet	IPv4/IPv6
arp	IPv4 ARP
bridge	经过桥接设备的包
netdev	入口设备

[地址类型]

hook	desc
prerouting	所有进入系统的包，在路由之前处理，可用于过滤和修改属性
input	进入 本地 系统的包
forward	转发到其他 host 的包
output	本地 发出的包
postrouting	所有离开系统的包
ingress	所有进入系统的包， L3 之前，早于 prerouting，只能用于 inet

[Hook 类型]

• 地址 支持的 hook
  • ip,ip6,inet,bridge - prerouting,input,forward,output,postrouting
  • arp - input,output
  • netdav - ingress

优先级

PRI	name	def	desc
-400		NF_IP_PRI_CONNTRACK_DEFRAG	priority of defragmentation
-300	raw	NF_IP_PRI_RAW	traditional priority of the raw table placed before connection tracking operation
-225		NF_IP_PRI_SELINUX_FIRST	SELinux operations
-200		NF_IP_PRI_CONNTRACK	Connection tracking operations
-150	mangle	NF_IP_PRI_MANGLE	mangle operation
-100	dstnat	NF_IP_PRI_NAT_DST	DNAT
0	filter	NF_IP_PRI_FILTER	filtering operation, the filter table
50	security	NF_IP_PRI_SECURITY	Place of security table where secmark can be set for example
100	srcnat	NF_IP_PRI_NAT_SRC	SNAT
225		NF_IP_PRI_SELINUX_LAST	SELinux at packet exit
300		NF_IP_PRI_CONNTRACK_HELPER	connection tracking at exit

bridge 优先级

| Name | Value ｜ Hooks | | ------ | -------------- | ----------- | | dstnat | -300 | prerouting | | filter | -200 | all | | out | 100 | output | | srcnat | 300 | postrouting |

匹配

• meta （元属性，如接口）
  • oif、iif、oifname、iifname
• icmp （ICMP 协议）
  • type
• icmpv6 （ICMPv6 协议）
  • type
• ip （IP 协议）
  • protocol
  • daddr
  • saddr
• ip6 （IPv6 协议）
  • daddr
  • saddr
• tcp （TCP 协议）
  • dport
  • sport
• udp （UDP 协议）
  • dport
  • sport
• sctp （SCTP 协议）
  • dport
  • sport
• ct （链接跟踪）
  • state new | established | related | invalid

# 查看端口
nft describe tcp dport

nft

• \ 续行
• # 注释
• 标识符 ^[a-zA-Z][a-zA-Z0-9/\_.]*
  • 可使用双引号避免冲突
• nft.8

# 引入文件
# -I/--includepath
# 忽略 . 开头文件
include filename

# 定义变量
define variable = expr
# 使用变量
$variable

nft cli

# 描述信息
nft describe tcp flags
nft describe ct_state
nft describe icmp type

主要操作对象

• rulset - 所有的 table 和 chain
  • {list | flush} ruleset [family]
• table
  • chain 容器
  • 通过 地址类型和名字标识

{add | create} table [family] table [{ flags flags ; }]
{delete | list | flush} table [family] table
list tables [family]
delete table [family] handle handle

• chain
  • rule 容器
  • 区分 base chian 和 regular chain
  • base - entry point for packets from the networking stack
    • 支持 policy - 默认 accept
  • regular - may be used as jump target and is used for better rule organization
  • chain type

type	families	hooks
filter	all	all
nat	ip, ip6, inet	prerouting, input, output, postrouting
route	ip, ip6	output

• nat 通过做 NAT 处理，只处理第一个包 - 用于 created conntrack entry

{add | create} chain [family] table chain [{ type type hook hook [device device] priority priority ; [policy policy ;] }]
{delete | list | flush} chain [family] table chain
list chains [family]
delete chain [family] table handle handle
rename chain [family] table chain newname

• rule
  • 实际操作规则

{add | insert} rule [family] table chain [handle handle | index index] statement ... [comment comment]
replace rule [family] table chain handle handle statement ... [comment comment]
delete rule [family] table chain handle handle

• set - {80,443}
  • 区分匿名集合和有名字的集合
  • 用于辅助定义
  • 用过 @set_name 引用

add set [family] table set { type type | typeof expression ; [flags flags ;] [timeout timeout ;] [gc-interval gc-interval ;] [elements = { element[, ...] } ;] [size size ;] [policy policy ;] [auto-merge ;] }
{delete | list | flush} set [family] table set
list sets [family]
delete set [family] table handle handle
{add | delete} element [family] table set { element[, ...] }

• map
• element
• flowtable
  • accelerate packet forwarding in software
  • layer 3/4
• 状态对象
  • counter
  • quota
• ct helper
  • 定义 connection tracking helper
  • 用于 ct helper set
• ct timeout
  • update connection tracking timeout
• ct expectation
  • create connection expectations
  • 用于 ct expectation set
• counter
• quota

默认规则

# 清空
flush ruleset

# 基础 IPv4/IPv6 有状态的防火墙 - 用户服务器或工作站
table inet filter {
	chain input {
    # 默认 drop input
		type filter hook input priority 0; policy drop;

    # 允许本地流量
		iifname lo accept \
		comment "Accept any localhost traffic"

    # 允许出去的流量
		ct state { established, related } accept \
		comment "Accept traffic originated from us"

    # 丢弃无效连接
		ct state invalid drop \
		comment "Drop invalid connections"

    # 113 端口返回端口不可达
    # https://en.wikipedia.org/wiki/Ident_protocol
    # https://github.com/janikrabe/oidentd
    # apk add oidentd
		tcp dport 113 reject with icmpx type port-unreachable \
		comment "Reject AUTH to make it fail fast"

		# ICMPv4
    # 接受指定类型的 icmp 类型
		ip protocol icmp icmp type {
			echo-reply,  # type 0
			destination-unreachable,  # type 3
			time-exceeded,  # type 11
			parameter-problem,  # type 12
		} accept \
		comment "Accept ICMP"

    # 限制 ping 速率
		ip protocol icmp icmp type echo-request limit rate 1/second accept \
		comment "Accept max 1 ping per second"

		# ICMPv6

		ip6 nexthdr icmpv6 icmpv6 type {
			destination-unreachable,  # type 1
			packet-too-big,  # type 2
			time-exceeded,  # type 3
			parameter-problem,  # type 4
			echo-reply,  # type 129
		} accept \
		comment "Accept basic IPv6 functionality"

		ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 1/second accept \
		comment "Accept max 1 ping per second"

    # IPv6 SLAAC 协议
		ip6 nexthdr icmpv6 icmpv6 type {
			nd-router-solicit,  # type 133
			nd-router-advert,  # type 134
			nd-neighbor-solicit,  # type 135
			nd-neighbor-advert,  # type 136
		} ip6 hoplimit 255 accept \
		comment "Allow IPv6 SLAAC"

    # IPv6 多播链路发现
		ip6 nexthdr icmpv6 icmpv6 type {
			mld-listener-query,  # type 130
			mld-listener-report,  # type 131
			mld-listener-reduction,  # type 132
			mld2-listener-report,  # type 143
		} ip6 saddr fe80::/10 accept \
		comment "Allow IPv6 multicast listener discovery on link-local"
	}

	chain forward {
    # 默认不允许转发
		type filter hook forward priority 0; policy drop;
	}

	chain output {
    # 默认不允许 output
		type filter hook output priority 0; policy accept;
	}
}
# 包含自定义规则
include "/etc/nftables.d/*.nft"

masquerade

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
  }
  chain postrouting {
    type nat hook postrouting priority 100;
    # 源地址自动设置为出口地址
    oifname "enp0s2" masquerade
  }
}

允许常用端口

table inet filter {
  chain input {
    type filter hook input priority 0;
    # allow ssh,http
    tcp dport {ssh,http,https} accept
    # http3 use udp
    udp dport {https} accept
  }
}

限定来源地址

define ALLOWED_NETS = {
  192.168.0.0/16,
  1.2.3.4
}

table inet firewall {
  chain inbound {
    type filter hook input priority 0; policy drop;
    # 限定来源访问
    tcp dport { http, https } ip saddr $ALLOWED_NETS accept
    udp dport { http, https } ip saddr $ALLOWED_NETS accept
  }
}

所有端口重定向到 22

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
    tcp dport != 22 redirect to 22
  }
  chain postrouting {
    type nat hook postrouting priority 0;
  }
}