pyroute2
pyroute2 copied to clipboard
svinota
Add rules to nftables
I want to add some rules to nft and I'm having some problems with it:
in first, i added some expressions: https://pastebin.com/qRkYx57N
rule with that i have problems:
`# nft -s list ruleset
table ip nat {
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto udp ip daddr 10.10.10.1 udp dport 53 counter dnat to 1.1.1.1:53
}
}
table ip filter {
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
}
your example dump:Tables:
({'nfgen_family': 2, 'version': 0, 'res_id': 57, 'attrs': [('NFTA_TABLE_NAME', 'nat'), ('NFTA_TABLE_FLAGS', 0), ('NFTA_TABLE_USE', 2), ('NFTA_TABLE_HANDLE', 36)], 'header': {'length': 56, 'type': 2560, 'flags': 2, 'sequence_number': 255, 'pid': 318169, 'error': None, 'target': 'localhost', 'stats': Stats(qsize=0, delta=0, delay=0)}}, {'nfgen_family': 2, 'version': 0, 'res_id': 57, 'attrs': [('NFTA_TABLE_NAME', 'filter'), ('NFTA_TABLE_FLAGS', 0), ('NFTA_TABLE_USE', 1), ('NFTA_TABLE_HANDLE', 37)], 'header': {'length': 60, 'type': 2560, 'flags': 2, 'sequence_number': 255, 'pid': 318169, 'error': None, 'target': 'localhost', 'stats': Stats(qsize=0, delta=0, delay=0)}})
Chains: ({'nfgen_family': 2, 'version': 0, 'res_id': 57, 'attrs': [('NFTA_CHAIN_TABLE', 'nat'), ('NFTA_CHAIN_HANDLE', 1), ('NFTA_CHAIN_NAME', 'POSTROUTING'), ('NFTA_CHAIN_HOOK', {'attrs': [('NFTA_HOOK_HOOKNUM', 4), ('NFTA_HOOK_PRIORITY', 100)]}), ('NFTA_CHAIN_POLICY', 1), ('NFTA_CHAIN_TYPE', 'nat'), ('NFTA_CHAIN_FLAGS', frozenset({'NFT_CHAIN_HW_OFFLOAD'})), ('NFTA_CHAIN_USE', 0)], 'header': {'length': 108, 'type': 2563, 'flags': 2, 'sequence_number': 256, 'pid': 318169, 'error': None, 'target': 'localhost', 'stats': Stats(qsize=0, delta=0, delay=0)}}, {'nfgen_family': 2, 'version': 0, 'res_id': 57, 'attrs': [('NFTA_CHAIN_TABLE', 'nat'), ('NFTA_CHAIN_HANDLE', 2), ('NFTA_CHAIN_NAME', 'PREROUTING'), ('NFTA_CHAIN_HOOK', {'attrs': [('NFTA_HOOK_HOOKNUM', 0), ('NFTA_HOOK_PRIORITY', -100)]}), ('NFTA_CHAIN_POLICY', 1), ('NFTA_CHAIN_TYPE', 'nat'), ('NFTA_CHAIN_FLAGS', frozenset({'NFT_CHAIN_HW_OFFLOAD'})), ('NFTA_CHAIN_USE', 1)], 'header': {'length': 108, 'type': 2563, 'flags': 2, 'sequence_number': 256, 'pid': 318169, 'error': None, 'target': 'localhost', 'stats': Stats(qsize=0, delta=0, delay=0)}}, {'nfgen_family': 2, 'version': 0, 'res_id': 57, 'attrs': [('NFTA_CHAIN_TABLE', 'filter'), ('NFTA_CHAIN_HANDLE', 1), ('NFTA_CHAIN_NAME', 'FORWARD'), ('NFTA_CHAIN_HOOK', {'attrs': [('NFTA_HOOK_HOOKNUM', 2), ('NFTA_HOOK_PRIORITY', 0)]}), ('NFTA_CHAIN_POLICY', 1), ('NFTA_CHAIN_TYPE', 'filter'), ('NFTA_CHAIN_FLAGS', frozenset({'NFT_CHAIN_HW_OFFLOAD'})), ('NFTA_CHAIN_USE', 0)], 'header': {'length': 112, 'type': 2563, 'flags': 2, 'sequence_number': 256, 'pid': 318169, 'error': None, 'target': 'localhost', 'stats': Stats(qsize=0, delta=0, delay=0)}})
Rules: {'nfgen_family': 2, 'version': 0, 'res_id': 57, 'attrs': [('NFTA_RULE_TABLE', 'nat'), ('NFTA_RULE_CHAIN', 'PREROUTING'), ('NFTA_RULE_HANDLE', 7), ('NFTA_RULE_EXPRESSIONS', [{'attrs': [('NFTA_EXPR_NAME', 'meta'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_META_KEY', 'NFT_META_L4PROTO'), ('NFTA_META_DREG', 'NFT_REG_1')]})]}, {'attrs': [('NFTA_EXPR_NAME', 'cmp'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_CMP_SREG', 'NFT_REG_1'), ('NFTA_CMP_OP', 'NFT_CMP_EQ'), ('NFTA_CMP_DATA', {'attrs': [('NFTA_DATA_VALUE', b'\x11')]})]})]}, {'attrs': [('NFTA_EXPR_NAME', 'payload'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_PAYLOAD_DREG', 'NFT_REG_1'), ('NFTA_PAYLOAD_BASE', 'NFT_PAYLOAD_NETWORK_HEADER'), ('NFTA_PAYLOAD_OFFSET', 16), ('NFTA_PAYLOAD_LEN', 4)]})]}, {'attrs': [('NFTA_EXPR_NAME', 'cmp'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_CMP_SREG', 'NFT_REG_1'), ('NFTA_CMP_OP', 'NFT_CMP_EQ'), ('NFTA_CMP_DATA', {'attrs': [('NFTA_DATA_VALUE', b'\n\n\n\x01')]})]})]}, {'attrs': [('NFTA_EXPR_NAME', 'match'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_MATCH_NAME', 'udp'), ('NFTA_MATCH_REV', 0), ('NFTA_MATCH_INFO', '00:00:ff:ff:35:00:35:00:00:00:00:00:00:00:00:00')]})]}, {'attrs': [('NFTA_EXPR_NAME', 'counter'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_COUNTER_BYTES', 0), ('NFTA_COUNTER_PACKETS', 0)]})]}, {'attrs': [('NFTA_EXPR_NAME', 'target'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_TARGET_NAME', 'DNAT'), ('NFTA_TARGET_REV', 2), ('NFTA_TARGET_INFO', '03:00:00:00:01:01:01:01:00:00:00:00:00:00:00:00:00:00:00:00:01:01:01:01:00:00:00:00:00:00:00:00:00:00:00:00:00:35:00:35:00:00:00:00:00:00:00:00')]})]}])], 'header': {'length': 428, 'type': 2566, 'flags': 2050, 'sequence_number': 257, 'pid': 318169, 'error': None, 'target': 'localhost', 'stats': Stats(qsize=0, delta=0, delay=0)}} <class 'pyroute2.netlink.nfnetlink.nftsocket.nft_rule_msg'> `
I am trying to add same rule:
`exp = (l4proto("udp"), ipv4addr(dst="10.10.10.1"), udp_dport(53), counter(), ( { 'attrs': [ ('NFTA_EXPR_NAME', 'target'), ('NFTA_EXPR_DATA', { 'attrs': [ ('NFTA_TARGET_NAME', 'DNAT'), ('NFTA_TARGET_REV', 2), ('NFTA_TARGET_INFO', hexload( '03:00:00:00:01:01:01:01:00:00:00:00:00:00:00:00:00:00:00:00:01:01:01:01:00:00:00:00:00:00:00:00:00:00:00:00:00:35:00:35:00:00:00:00:00:00:00:00')) ] }) ] },))
print(exp)
nft.rule('add', table='nat', chain='PREROUTING', expressions=exp)`
Error is:
(({'attrs': [('NFTA_EXPR_NAME', 'meta'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_META_KEY', 16), ('NFTA_META_DREG', 1)]})]}, {'attrs': [('NFTA_EXPR_NAME', 'cmp'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_CMP_SREG', 1), ('NFTA_CMP_OP', 0), ('NFTA_CMP_DATA', {'attrs': [('NFTA_DATA_VALUE', b'\x11')]})]})]}), [{'attrs': [('NFTA_EXPR_NAME', 'payload'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_PAYLOAD_DREG', 1), ('NFTA_PAYLOAD_BASE', 1), ('NFTA_PAYLOAD_OFFSET', 16), ('NFTA_PAYLOAD_LEN', 4)]})]}, {'attrs': [('NFTA_EXPR_NAME', 'cmp'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_CMP_SREG', 1), ('NFTA_CMP_OP', 0), ('NFTA_CMP_DATA', {'attrs': [('NFTA_DATA_VALUE', b'\n\n\n\x01')]})]})]}], ({'attrs': [('NFTA_EXPR_NAME', 'match'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_MATCH_NAME', 'udp'), ('NFTA_MATCH_REV', 0), ('NFTA_MATCH_INFO', b'\x00\x00\xff\xff5\x005\x00\x00\x00\x00\x00\x00\x00\x00\x00')]})]},), ({'attrs': [('NFTA_EXPR_NAME', 'counter'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_COUNTER_BYTES', 0), ('NFTA_COUNTER_PACKETS', 0)]})]},), ({'attrs': [('NFTA_EXPR_NAME', 'target'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_TARGET_NAME', 'DNAT'), ('NFTA_TARGET_REV', 2), ('NFTA_TARGET_INFO', b'\x03\x00\x00\x00\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x005\x005\x00\x00\x00\x00\x00\x00\x00\x00')]})]},)) Traceback (most recent call last): File "/tmp/pycharm_project_872/nftables.py", line 194, in <module> nft.rule('add', File "/usr/local/lib/python3.10/dist-packages/pyroute2/nftables/main.py", line 323, in rule return self._command(nft_rule_msg, commands, cmd, kwarg) File "/usr/local/lib/python3.10/dist-packages/pyroute2/netlink/nfnetlink/nftsocket.py", line 1297, in _command self.nlm_request_batch(messages, noraise=(flags & NLM_F_ACK) == 0) File "/usr/local/lib/python3.10/dist-packages/pyroute2/netlink/nlsocket.py", line 882, in nlm_request_batch return tuple(self._genlm_request_batch(*argv, **kwarg)) File "/usr/local/lib/python3.10/dist-packages/pyroute2/netlink/nlsocket.py", line 1173, in nlm_request_batch for msg in self.get(msg_seq=seq, noraise=noraise): File "/usr/local/lib/python3.10/dist-packages/pyroute2/netlink/nlsocket.py", line 873, in get return tuple(self._genlm_get(*argv, **kwarg)) File "/usr/local/lib/python3.10/dist-packages/pyroute2/netlink/nlsocket.py", line 550, in get raise msg['header']['error'] pyroute2.netlink.exceptions.NetlinkError: (22, 'Invalid argument')
Part `exp = (l4proto("udp"), ipv4addr(dst="10.10.10.1"), counter(), )
print(exp)
nft.rule('add', table='nat', chain='PREROUTING', expressions=exp) ` worked fine
How can i do it? Or maybe there is a more higher-level api for working with nft?
