3

I'm on Ubuntu 20.10 trying to do some routing config for my virtual network, and I'm confused about the interactions between the 3 main types of firewall technology used in modern Linux distros, namely:

  • iptables
  • nft netfilter
  • bpf berkeley packet filter

Can someone please answer the following:

  • How do I check to see which ones are installed?
  • Can all 3 of these firewalls peacefully co-exist on one client? If not, how can I safely uninstall one or another?
  • What layers of translation are included? e.g. if I have an iptables executable on Ubuntu 20.10, is that actually iptables the firewall, or an interface for netfilter api?
  • Is there a program for bpf api that is meant for conventional firewall tasks? (I've seen plenty of tracing programs, but nothing intended for firewall)

Also, to complicate things, I compiled my own 5.10.11 kernel based on 5.8.0-40-generic .config file with all netfilter rules enabled. Could this potentially create any roadblocks for me going forward?

Because most modules are compiled in-kernel lsmod does not give a typical output, but I'll post it anyway. I can post .config if that would help.

Here's my current lsmod as it relates to netfilter:

# lsmod | egrep 'net|filter|table|nft|ipt|bpf'

vmnet                  53248  13
ipt_REJECT             16384  0
nft_compat             20480  0
dell_wmi_descriptor    20480  2 dell_wmi,dell_smbios
ip_tables              28672  0
x_tables               45056  10 xt_conntrack,xt_cgroup,nft_compat,xt_multiport,xt_tcpudp,xt_owner,ipt_REJECT,ip_tables,xt_MASQUERADE,xt_mark

Here's my current ip forwarding rules:

# sysctl -a | grep forward | grep '= 1'

sysctl: reading key "kernel.spl.hostid"
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.eno1.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.ovs-netdev.forwarding = 1
net.ipv4.conf.ovsdpdkbr0.forwarding = 1
net.ipv4.conf.tunl0.forwarding = 1
net.ipv4.conf.virbr0.forwarding = 1
net.ipv4.conf.virbr0-nic.forwarding = 1
net.ipv4.conf.vmnet1.forwarding = 1
net.ipv4.conf.vmnet8.forwarding = 1
net.ipv4.conf.vnet0.forwarding = 1
net.ipv4.conf.vnet1.forwarding = 1
net.ipv4.conf.vnet2.forwarding = 1
net.ipv4.conf.vnet3.forwarding = 1
net.ipv4.conf.vnet4.forwarding = 1
net.ipv4.conf.wlp110s0.forwarding = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1

I noticed this message in dmesg and thought it might be instructive:

nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
Avery Freeman
  • 1,376

2 Answers2

0

  • Iptables is a frontend to kernel netfilter hooks.

  • All these clients use the same netfilter hooks to deliver verdicts on packets, I do not think they interfere with each other.

BPF for conventional firewall tasks is bpfilter, but it is relatively new, and still hasn't merged into mainline kernel AFAIK.

What we have now is xt-bpf in iptables-extensions, I think this is what you want.

The kernel Netfilter hookpoint does not have good BPF support, what a shame... Traffic Control BPF (tc-ebpf) has good functionality in dropping and modifying packets, but the hook point isn't as convenient.

A.C.
  • 1
0

Note: This answer tries to explain @Anthea Chen's answer.

Mentioned explanation should be taken with a grain of salt, as it's merely based on theoretical understanding.

The Core

  1. The filtering is taken by the kernel netfilter hooks which are points in the network stack within the Linux kernel that allow certain functions (like iptables) to "hook into" the packet processing flow. This is where decisions are made about what to do with network packets (e.g., accept, reject, modify, etc.).

    This part works at different points in the packet processing path (like PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING) and is ideal for implementing firewalls and NAT.

  2. There is another part of the kernel called tc-ebpf (Traffic Control eBPF) that is responsible for traffic control.

    This part operates at the network scheduling layer, allowing for complex traffic shaping, packet scheduling, and classification tasks. tc-ebpf can be used to write eBPF programs that are executed as part of these traffic control processes.

The netfilter Clients

  • iptables and nftables are frontends (basically command line utilities) for the aforementioned kernel netfilter hooks, they both exist in the user space.

  • bpfilter, the BPF/eBPF based firewall, which is also a frontend but as it is BPF/eBPF based it gets compiled into byte code and then runs sandboxed on a BPF virtual machine in the kernel space, giving it much more power than both iptables and nftaples.

All of them being clients for the kernel netfilter hooks, making work together with no interference as @Anthea mentioned.

Usage of eBPF

  • bpfilter would be considered an alternative for iptables and nftables. However, it didn't make it to the mainline kernel yet

  • There is an iptables extension called xt-bpf, which allows BPF bytecode to be used for the rules in iptables. Allowing the usage of BPF's syntax by wrapping it into iptables rules

  • Even tc-ebpf is available at the core and could be used with the BPF syntax directly, it's not simple (not convenient) and would be complicating the task of a firewall.

weshouman
  • 113