nftables wiki

nftables wiki

[Dave Carlton]

I was going to try an add some content as I discover nftables but see no way to create an account.

Re: nftables wiki

[Pablo Neira Ayuso]

On Wed, Oct 05, 2016 at 06:45:31AM -1000, Dave Carlton wrote:
> I was going to try an add some content as I discover nftables but see no way to create an account.

Public reply: Anyone willing to have an account in nftables wiki, send
me a private email indicating username. Thanks.

nftables wiki

[Frank Myhr]

Hi,

Can I apply to be a registered user of the nftables wiki? I'm just a 
neophyte at nftables so would not make major changes. But I can clarify 
wording and maybe expand on some areas as I continue learning in the 
process of switching my systems from iptables + ipset -> nftables. The 
impetus for me has been discovering that Debian Buster is by default 
using nftables behind the iptables scene. Reason enough to finally take 
the plunge. I imagine others are (or will soon be) in the same 
situation. The wiki is already very helpful, but I'd be glad to help 
update & improve it.

Thanks,
Frank

Re: nftables wiki

[Pablo Neira Ayuso]

Hi Paulo,

On Wed, Dec 27, 2017 at 04:25:56PM -0200, paulo bruck wrote:
> Hy Guys. Me again 80)
> 
> I'm  studing nftables I think it would be  better IMHO to do a cut and
> paste at link below that talks about   Sets

I can create an account for you, so you can edit this yourself.

Let me know and I'll send you the token privately.

Thanks.

> before
> ############################################
> Named sets
> 
> You can create the named sets with the following command:
> 
> % nft add set filter blackhole { type ipv4_addr\;}
> 
> Note that blackhole is the name of the set in this case. The type
> option indicates the data type that this  set stores, which is an IPv4
> address in this case. Current maximum name length is 16 characters.
> 
> % nft add element filter blackhole { 192.168.3.4 }
> % nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
> 
> Then, you can use it from the rule:
> 
> % nft add rule ip input ip saddr @blackhole drop
> 
> Named sets can be updated anytime, so you can add and delete element from them.
> 
> Eric Leblond in his Why you will love nftables article shows a very
> simple example to compare iptables with nftables:
> 
> ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
> 
> Which can be expressed in nftables with a couple of rules that provide a set:
> 
> % nft add rule ip6 filter input tcp dport {telnet, http, https} accept
> % nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit,
> echo-request, nd-router-advert, nd-neighbor-advert } accept
> ####################################################
> 
> after
> 
> ######################################################
> Eric Leblond in his Why you will love nftables article shows a very
> simple example to compare iptables with nftables:
> 
> ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
> ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
> 
> Which can be expressed in nftables with a couple of rules that provide a set:
> 
> % nft add rule ip6 filter input tcp dport {telnet, http, https} accept
> % nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit,
> echo-request, nd-router-advert, nd-neighbor-advert } accept
> 
> 
> Named sets
> 
> You can create the named sets with the following command:
> 
> % nft add set filter blackhole { type ipv4_addr\;}
> 
> Note that blackhole is the name of the set in this case. The type
> option indicates the data type that this set stores, which is an IPv4
> address in this case. Current maximum name length is 16 characters.
> 
> % nft add element filter blackhole { 192.168.3.4 }
> % nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }
> 
> Then, you can use it from the rule:
> 
> % nft add rule ip input ip saddr @blackhole drop
> 
> Named sets can be updated anytime, so you can add and delete element from them.
> 
> #############################################################
> 
> best regards
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

nftables wiki

[paulo bruck]

Hy Guys. Me again 80)

I'm  studing nftables I think it would be  better IMHO to do a cut and
paste at link below that talks about   Sets



before
############################################
Named sets

You can create the named sets with the following command:

% nft add set filter blackhole { type ipv4_addr\;}

Note that blackhole is the name of the set in this case. The type
option indicates the data type that this  set stores, which is an IPv4
address in this case. Current maximum name length is 16 characters.

% nft add element filter blackhole { 192.168.3.4 }
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }

Then, you can use it from the rule:

% nft add rule ip input ip saddr @blackhole drop

Named sets can be updated anytime, so you can add and delete element from them.

Eric Leblond in his Why you will love nftables article shows a very
simple example to compare iptables with nftables:

ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT

Which can be expressed in nftables with a couple of rules that provide a set:

% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit,
echo-request, nd-router-advert, nd-neighbor-advert } accept
####################################################

after

######################################################
Eric Leblond in his Why you will love nftables article shows a very
simple example to compare iptables with nftables:

ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT

Which can be expressed in nftables with a couple of rules that provide a set:

% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit,
echo-request, nd-router-advert, nd-neighbor-advert } accept


Named sets

You can create the named sets with the following command:

% nft add set filter blackhole { type ipv4_addr\;}

Note that blackhole is the name of the set in this case. The type
option indicates the data type that this set stores, which is an IPv4
address in this case. Current maximum name length is 16 characters.

% nft add element filter blackhole { 192.168.3.4 }
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }

Then, you can use it from the rule:

% nft add rule ip input ip saddr @blackhole drop

Named sets can be updated anytime, so you can add and delete element from them.

#############################################################

best regards

Re: nftables wiki

[Pablo Neira Ayuso]

On Thu, Sep 24, 2015 at 02:20:26PM +0100, Richard Melville wrote:
> Hi
> 
> I've noticed a number of typos and general errors on the wiki.  Is it
> possible to get write permissions in order to rectify those issues?

Just created an account for you.

nftables wiki

[Richard Melville]

Hi

I've noticed a number of typos and general errors on the wiki.  Is it
possible to get write permissions in order to rectify those issues?

-- 
Richard Melville
Systems Architect
cellularity.co.uk
stellarsystem.wordpress.com
+44 20 33 555 305
+44 7957 836330