-
-
Notifications
You must be signed in to change notification settings - Fork 736
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nftables support #924
Comments
Yes, this is absolutely something I want to implement but I haven't got my head around nftables yet. Any help would be much appreciated. For example, if you could provide the nftables commands to set up the equivalent functionality of what is set up using iptables/ipsets currently would be very helpful. |
Posting info on behalf of my colleague who did the work: Command line iptables calls are:
Unlike iptables, nftables doesn't come with a fixed set of tables or default chains. The actual hook points are mostly the same, but I think keepalived would need an extra config option for which table to add rules to, because it's not really possible to just assume that With this additional config, we can get:
which gives some output like:
and then to delete the rule:
but I don't believe that you can get that handle without parsing output. Maybe Clearly the rule deletion isn't good, so I guess the other option is maintaining some internal state of expected rules for each VRRP instance and making the user create a chain specifically for use by keepalived, so that it's easy to atomically flush and rewrite it when things change. Also, the above is all for IPv4. For IPv6, the user would either need to have the table configured as After investigating this, we realised that we don't actually want the blocking functionality that keepalived uses iptables for in our setup, but hope this helps anyways |
@niconorsk Many thanks for this update. What keepalived does currently is it adds entries to the chains specified in the
and for IPv6:
and the ipset configuration will look something like:
There is not a problem adding configuration to keepalived to specify the table(s) to use. It could be something like: What would be really helpful would be to know the nft commands that would be needed (and I understand that TABLE will have to be specified), to set up the same configuration as I have listed above using iptables/ipsets. |
Ok, so will post a bunch of nft commands below with the following assumptions:
So here goes:
At time of writing, nftables does not quite support doing exactly what you are doing with the keepalived_if6 set. Declaring it literally works but doing named concatenations does not yet work although it is a rapidly developed project so may change in the future. Like was mentioned in the previous post, individual rule deletion is tricky which is why I went with the assumption of flushing the whole chain instead |
@niconorsk Many thanks for this information. I'm not sure what you mean by For your information, keepalived normally does not invoke the iptables/ip6tables/ipset commands, but uses functions in the ip4tc, ip6tc, xtables and ipset libraries. I would plan to make use of the library interface to nftables, but knowing what rules I need to create is really helpful. That might make rule deletion simpler too. |
What I meant was this works: But there is no support for doing simething like this:
|
@niconorsk Many thanks for your guidance with this. When I have time I will implement nftables support. |
I spent time around, I am a little sceptic and perplex about it. IMHO, if we 'just' need some basic filtering then best performances and future proof way would be TC filter and/or XDP (eBPF). I am right now digging into XDP and will provide a patch soon. Implementing TC filter or XDP will not require adding a new third party lib. |
Support for nftables now added. This gives an improvement over using iptables/ipsets. When XDP support is available, that will provide another option. |
Just wanted to put this up for other people like me who discover the inherent dependency. Is this something that is being considered at all? If not, any suggestions for people who want to use nftables to workaround this dependency.
The text was updated successfully, but these errors were encountered: