FireBall
asked on
nftables , iptables and netfilter question
I have a few question for selection of drop policy applied place.
1. Which one first apply the drop rule ?
2. iptables and nftables are user space appliances but i do not know deeper , are they work in kernel space and pipe the requests from user space or are they work completely after kernel space ?
3. Is there any possibility to drop a packet before any kernel space module ,i tryed with netfilter and drop an ip xx.xx.xx.xx and i realize that tcpdump still reading the traffic but iptables not. So the traffic is passing to kernel space still on netfilter.
1. Which one first apply the drop rule ?
2. iptables and nftables are user space appliances but i do not know deeper , are they work in kernel space and pipe the requests from user space or are they work completely after kernel space ?
3. Is there any possibility to drop a packet before any kernel space module ,i tryed with netfilter and drop an ip xx.xx.xx.xx and i realize that tcpdump still reading the traffic but iptables not. So the traffic is passing to kernel space still on netfilter.
Maybe your first question "Which one first apply the drop rule" relates to the case where you're using both iptables + nftables.
If this is what you're asking, both command line tools generate kernel level rules.
All rules run simultaneously. There is no precedence, because both command line tools are simply generating rules inside the Kernel netfilter VM (virtual machine), so all rules run based on type of rule...
Inserts are inserted at top/start of chains.
Adds are added at bottom/end of chains.
If this is what you're asking, both command line tools generate kernel level rules.
All rules run simultaneously. There is no precedence, because both command line tools are simply generating rules inside the Kernel netfilter VM (virtual machine), so all rules run based on type of rule...
Inserts are inserted at top/start of chains.
Adds are added at bottom/end of chains.
ASKER
Clarify your question. Unsure what you're asking.I am asking for what is the order of processing packet as far as i understand 1. is netfilter because it is the base of both 2. ? 3. ?
if i work iptables and nftables together and put a drop rule both which one will block ?
If your asking, is there a way to drop a packet before it hits an interfaceNearly all the physical boxes are already kernel based devices. I am not asking about it , i am asking this , a packet simulation has been attached to the answer , i want to block the packet before if it is possible netfilter.
ASKER
For ex. ethtool has a property for blocking source ip / port , dst ip / port on interface it has 82599+ chipset. But it is limited there is no additional option like TTL and etc.
We tested with 5million pps on ntuple it has perfect performance but if this 5million pps hits to iptables it is locking all server. I need to find a way that is more efficient then this systems
We tested with 5million pps on ntuple it has perfect performance but if this 5million pps hits to iptables it is locking all server. I need to find a way that is more efficient then this systems
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will open a project about this tomorrow and write you also , if you are interested in also i will glad to see you
2. Both nftables + iptables work in kernel space. These programs run in user space, to create kernel space netfilter rules.
3. If your asking, is there a way to drop a packet before it hits an interface, the answer is yes. By using a physical box, like a hardware firewall in front of your interfaces. In software, packets arrive on interfaces + then are effected by netfilter, so I'm guessing you'll see arrival of packets in all cases. Packets must arrive before they can be acted on by netfilter.
https://netfilter.org/proj
"nftables replaces the popular {ip,ip6,arp,eb}tables. This software provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queueing and logging subsystem."
Refer to these links for more information.
https://wiki.nftables.org/
https://linux-audit.com/di