fwknop icon indicating copy to clipboard operation
fwknop copied to clipboard

Published 20 hours ago verified publisher icon mrash

Linux NFTables Support in fwknop

Open theckman opened this issue 12 years ago • 28 comments

NFTables, which is a new packet filter subsystem for the Linux kernel, has been pulled in to the git tree for the Linux 3.13 build. NFTables is on-track to replace the tried-and-true iptables system.

This issue is to request that, when NFTables is pushed in to mainline, support be added to fwknop.

I'm not sure what systems/kernels you have access to for development purposes, but if needed I should be able to provide a system with nftables / Linux 3.13

theckman avatar Oct 20 '13 02:10 theckman

Thanks for the suggestion. This will definitely be added to fwknop and the other cipherdyne.org projects as well.

mrash avatar Oct 20 '13 18:10 mrash

With the new command open/close cycle stuff, I think integrating with NFTables will be easy.

mrash avatar Dec 24 '15 14:12 mrash

are there any news on this issue?

fabianfrz avatar Feb 20 '17 17:02 fabianfrz

any news?

LuciferSam86 avatar Jun 13 '18 15:06 LuciferSam86

I'll poke at this as well, it's blocking our deployment.

andrewdunndev avatar Feb 14 '19 04:02 andrewdunndev

Perhaps it's not as easy as originally expected. 😐

mauricev avatar Jun 19 '20 20:06 mauricev

Wow, it's been 8 years and nothing?

mpsOxygen avatar Aug 27 '21 12:08 mpsOxygen

9 years already

q2dg avatar Mar 24 '22 12:03 q2dg

I think it may be possible to use a custom script that takes the iptables ... command and uses iptables-translate ... to convert the iptables ... command to an nft ... equivalent (see the "command translation" section on this page on nftables). Might have to convert the filter name if the current nftables ruleset uses a differently named filter name.

I think this is possible because this option --with-iptables=/path/to/iptables exists. Maybe just have it point to your custom script, and have the script convert the iptables ... command and apply it to the current nftables rules.

It's kind of a "hack" to get it working this way, as one would probably have to write up their own script and have some checks in place so that the rule would work correctly with the current nftables ruleset.

EDIT: Oh wait, the --with-iptables=... is a compiler (configure) option, not a command option..

EDIT2: So I 'm guessing fwknop uses the first valid iptables command in $PATH. Maybe one could create a script, name it as iptables, and place it in some other directory and prepend that directory into $PATH. One would have to make sure the server would use that custom $PATH though. Seems a bit too much trouble to get it working this way, unless you really want it to use nftables rules.

EDIT3: So it looks like one can set the FIREWALL_EXE in the fwknopd.conf, so doing some $PATH hackery is probably not needed. I may investigate what a custom script should be to be able to handle nftables.

EDIT4: It appears that fwknopd expects to work with output from iptables ..., so I don't think the "custom script approach" will work here. fwknop will have to implement proper nftables support, unless I overlooked something.

Stephen-Seo avatar Apr 13 '22 04:04 Stephen-Seo

10 years, is this going to be fixed or we look for alternatives to fwknop ?

geo99918 avatar May 31 '23 12:05 geo99918

Yeah that's become critical.. Speaking of the alternatives, what do we actually have?

bam80 avatar Jun 06 '23 12:06 bam80

Yeah that's become critical.. Speaking of the alternatives, what do we actually have?

I heard wireguard has similar feature of not revealing itself unless the package with right key arrives. Maybe not the same functionality but we can live with it.

geo99918 avatar Jun 06 '23 12:06 geo99918

Speaking of wireguard for openwrt low powered devices particularly, some time ago I had success with this project: https://github.com/adyanth/openwrt-tailscale-enabler It's a overkill of course but I see no other real alternatives right now..

bam80 avatar Jun 06 '23 12:06 bam80

@mrash Some additional context for consideration regarding prioritising #107 over #285.

  1. OpenWRT switched from fw3 (iptables) to fw4 (netfilter/nftables) in at least 22.03.x releases.
  2. OpenWRT has a fwknop package. The OpenWRT fwknop package does not support fw4 yet since the upstream package mrash/fwknop binary does not.
  3. OpenWRT users with your (awesome) software installed can't get access to their freshly updated routers.

Have you had brief look at iptables to nftables migration instructions yet ? Helpful for scoping some of the change(s) needed.

davidandreoletti avatar Jun 14 '23 18:06 davidandreoletti

I suspect that fwknop can support nft as it stands today with the "command cycle" feature. Here is an example of getting fwknop to work with ipset even though ipset is not "directly" supported in the same way as iptables/pf/ipfw: https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#spa-with-ipset Similarly, I'm guessing fwknop could support nft. It would be an interesting exercise to see if this could actually work. That said, I agree that fwknop should support nft in the same way as iptables since nft is clearly here to stay.

mrash avatar Jun 15 '23 02:06 mrash

nft is clearly here to stay

Yes!

The following major Linux distributions continue to distribute iptables but have already moved to nfttables in some capacity for core firewalling functionality via firewalld:

The following Linux distributions hint at an eventual ipset deprecation:

fwknop can support nft as it stands today with the command cycle feature

@mrash No doubt fwknop will have to have full programmatic nfttables support eventually to remain well supported for Linux end users.

In the meantime, would you consider the following as a suitable short term course of action for a growing list of fwknop users coming to knock at this GitHub repo for better nftables support ?

  1. @mrash lists most fwknop generated iptables rules. I do not know if theexample iptables rules needs to covers additional cases beyond:
  • port open rule
  • port close rule
  • keep connection state tracked after port closed rule
  1. @bam80 / @geo99918 / @Stephen-Seo and others (@davidandreoletti included) convert the rules into nftables rules via iptables-translate + test them on OpenWRT routers using fwknop's access.conf CMD_CYCLE_OPEN/CMD_CYCLE_CLOSE settings
  2. Provide @mrash with nfttables rules example to update the doc with for future users, if that's something you are interested in.

davidandreoletti avatar Jun 15 '23 05:06 davidandreoletti

@davidandreoletti you took it off my tongue, I was thinking about this approach too.
For 1) I would need help. For other steps, I will upgrade my router soon and would be able to help myself.

bam80 avatar Jun 15 '23 20:06 bam80

In the meantime, would you consider the following as a suitable short term course of action for a growing list of fwknop users coming to knock at this GitHub repo for better nftables support ?

@davidandreoletti maybe you could create a separate issue for that where we could share the info?

bam80 avatar Jun 16 '23 09:06 bam80

The current issue is the right spot for it as:

  • I expect the work to get fwknopd to open/close ports/etc rules to be nfttables dependent only even if it will be tested on OpenWRT primarily "first".
  • Other users (including OpenWRT ones) have one central place to chime in about their findings/fixes.

davidandreoletti avatar Jun 16 '23 12:06 davidandreoletti

nft is clearly here to stay

Yes!

The following major Linux distributions continue to distribute iptables but have already moved to nfttables in some capacity for core firewalling functionality via firewalld:

The following Linux distributions hint at an eventual ipset deprecation:

fwknop can support nft as it stands today with the command cycle feature

@mrash No doubt fwknop will have to have full programmatic nfttables support eventually to remain well supported for Linux end users.

In the meantime, would you consider the following as a suitable short term course of action for a growing list of fwknop users coming to knock at this GitHub repo for better nftables support ?

  1. @mrash lists most fwknop generated iptables rules. I do not know if theexample iptables rules needs to covers additional cases beyond:
  • port open rule
  • port close rule
  • keep connection state tracked after port closed rule
  1. @bam80 / @geo99918 / @Stephen-Seo and others (@davidandreoletti included) convert the rules into nftables rules via iptables-translate + test them on OpenWRT routers using fwknop's access.conf CMD_CYCLE_OPEN/CMD_CYCLE_CLOSE settings
  2. Provide @mrash with nfttables rules example to update the doc with for future users, if that's something you are interested in.

@mrash (ping)

davidandreoletti avatar Jul 04 '23 08:07 davidandreoletti

@mrash if you have no more time/interest to support the project, better let us know earlier than later

bam80 avatar Jul 04 '23 09:07 bam80

I'm not sure why y'all would need the author to list the iptables commands in the code, or update the docs. The code's right there for you to look at and submit a PR.

akerl avatar Jul 04 '23 10:07 akerl

@akerl every project should have a maintainer(s). If there is no maintainer any more, it should be declared publicly. For now it was said several times by author there gonna be a maintenance release and such, but things didn't seem to progressed since then. So it's better just describe the situation precisely than feed us on false hopes.

bam80 avatar Jul 04 '23 10:07 bam80