Comments (6)
Hey! Unfortunately, nftables is really complex and your seemingly simple question is not simple to answer. For example, while an IP address might be blocked specifically (easy case), maybe entire networks are blocked (harder case) or maybe the packets are filtered by some other criterion entirely (impossible to figure out in general by just looking at nftables rules — you’d need to evaluate the rules).
I think the only way to determine whether an IP address is blocked or not is to do such a check with detailed knowledge of the nftables configuration. Meaning, if you control (or know) the entire nftables configuration, you can then come up with a working check.
Which software sets up the nftables rules on your host?
from nftables.
Greetings and thanks for taking your time to reply.
Regarding the version:
$ iptables -V
iptables v1.8.7 (nf_tables)
Although it presents itself as "iptables," it operates on the nftables framework underneath, at least as far as I understand.
I employ a script that scans the directory /etc/iptables/ for files with the extension *.conf and loads them. These files adhere to the older format. For instance:
/usr/sbin/iptables -A INPUT -i ens160 -p tcp -s 123.123.123.123/24 -m multiport --dports 22,2222 -j ACCEPT
Given that this rule permits all IPs from 123.123.123.0 to 123.123.123.255, I am interested in determining whether the IP 123.123.123.25 is whitelisted for Port 22. As you mentioned, there are some challenges:
- Parsing all IPs as CIDR and verifying if the IP is included.
- Determining which rule takes precedence if multiple rules are in place.
In my opinion, determining if an IP is whitelisted or blacklisted is a fundamental function of any firewall tool. It also proves useful for conducting A/B testing on applications to verify their functionality.
Parsing the configuration wasn't initially my focus. However, it could potentially serve the purpose - assuming no modifications have been made to the configuration and it hasn't been reloaded. A better approach would involve working with the data/config currently active in nftables/iptables, as this at any times would be right.
Perhaps suggesting this as a feature request directly to nftables could be beneficial. A command like nftables-status, which allows users to check the status of a specific IP address and port combination, would indeed be quite useful.
For instance:
nftables-status 123.123.123.25 22
IP PORT STATUS
123.123.123.25 22 BLOCKED
What do you think about this idea? Have you encountered others who have expressed a need for this functionality, or is it primarily something i solely find valuable?
from nftables.
Hello again. Based on your reply, I think there might be a misunderstanding.
You are reporting an issue in the google/nftables package, which is a module for the Go programming language to interact with the Linux nftables subsystem at a low level.
You are not in the right place for feature requests for nftables itself, or for tooling that works with nftables (such as your suggested nftables-status).
Before we continue the discussion, are you even using the Go programming language, or did you end up in the wrong repository? :)
from nftables.
@stapelberg sorry for the late reply.
Before we continue the discussion, are you even using the Go programming language, or did you end up in the wrong repository? :)
Yes indeed I am using Golang. And with Golang.
You are not in the right place for feature requests for nftables itself, or for tooling that works with nftables (such as your suggested nftables-status).
I understand that. For such thing I would need to rise a Feature Request at nftables directly.
Besides this, is there any chance this module can help me to determinate whcih allow lists do exist?
For example I want to know all allow rules (chain INPUT
). Can this module help me and provide me with an array/list of all subnets/ips which are in there?
for example:
123.123.123.123 port 26,27
123.123.123.0/24 port 20-24
I then would check if the IP in question (123.123.123.123
) is contained in any of them and select the Ports of these rules.
So for the IP 123.123.123.121
the ports 20,21,22,23,24
are allowed.
So for the IP 123.123.123.123
the ports 20,21,22,23,24,26,27
are allowed
Thank you in advance! :)
from nftables.
Yes, you can use this module to obtain all installed nftables rules. See the ListTables, ListChains and GetRules methods.
As I tried to explain before, programmatically understanding nftables rules in general is really hard. As I said, the only way this can work is if you control the program that generates the nftables rules, because then you can make assumptions about the structure of the rules.
For your situation, it sounds like you should:
- Translate the iptables configuration to nftables first (because then there is one less layer in the mix)
- Inspect the rules using the
nft
command-line tool (e.g.nft list ruleset
). The--debug=all
flag is useful to break down what’s happening at lower levels. - Use this knowledge to write your program.
from nftables.
Thanks @stapelberg this is exactly what I did. I used nft list ruleset
and processed the output :)
I appreciate the help!
from nftables.
Related Issues (20)
- Test failures on s390x: endianness problems? HOT 11
- Reason for not wrapping libnftnl/libmnl. HOT 1
- GetRules lost expr.Masq HOT 1
- nftables go dynset implementation will not work with libnftnl versions <1.1.9 HOT 1
- High
- Feature: add support for monitor HOT 6
- AddSet IPv4 wrong byte order on Ubuntu 22.04 HOT 8
- Rule Handle not updated after InsertRule even using Flush. HOT 4
- Not all response messages are received causing the receive buffer to overflow HOT 8
- Named quotas and their usage in map HOT 1
- BUG: block in Conn.Flush() HOT 4
- How to get an error when try to add an existed table?
- Adding rules in code produces different results and logs than the rules I added directly from the command line HOT 6
- Use a CIDR prefix as target in a NAT rule HOT 3
- Troubleshooting NFTables Table Creation with Go HOT 2
- Objects implementation refactor HOT 1
- Broken deps HOT 3
- Is there a way to mock interface? HOT 3
- cgroupv2 nft rule HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nftables.