Can someone explain interactions between iptables, nftables and bpf?

I'm on Ubuntu 20.10 trying to do some routing config for my virtual network, and I'm confused about the interactions between the 3 main types of firewall technology used in modern Linux distros, namely:

• iptables
• nft netfilter
• bpf berkeley packet filter

Can someone please answer the following:

• How do I check to see which ones are installed?
• Can all 3 of these firewalls peacefully co-exist on one client? If not, how can I safely uninstall one or another?
• What layers of translation are included? e.g. if I have an iptables executable on Ubuntu 20.10, is that actually iptables the firewall, or an interface for netfilter api?
• Is there a program for bpf api that is meant for conventional firewall tasks? (I've seen plenty of tracing programs, but nothing intended for firewall)

Also, to complicate things, I compiled my own 5.10.11 kernel based on 5.8.0-40-generic .config file with all netfilter rules enabled. Could this potentially create any roadblocks for me going forward?

Because most modules are compiled in-kernel lsmod does not give a typical output, but I'll post it anyway. I can post .config if that would help.

Here's my current lsmod as it relates to netfilter:

# lsmod | egrep 'net|filter|table|nft|ipt|bpf'
vmnet 53248 13
ipt_REJECT 16384 0
nft_compat 20480 0
dell_wmi_descriptor 20480 2 dell_wmi,dell_smbios
ip_tables 28672 0
x_tables 45056 10 xt_conntrack,xt_cgroup,nft_compat,xt_multiport,xt_tcpudp,xt_owner,ipt_REJECT,ip_tables,xt_MASQUERADE,xt_mark

Here's my current ip forwarding rules:

# sysctl -a | grep forward | grep '= 1'
sysctl: reading key "kernel.spl.hostid"
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.eno1.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.ovs-netdev.forwarding = 1
net.ipv4.conf.ovsdpdkbr0.forwarding = 1
net.ipv4.conf.tunl0.forwarding = 1
net.ipv4.conf.virbr0.forwarding = 1
net.ipv4.conf.virbr0-nic.forwarding = 1
net.ipv4.conf.vmnet1.forwarding = 1
net.ipv4.conf.vmnet8.forwarding = 1
net.ipv4.conf.vnet0.forwarding = 1
net.ipv4.conf.vnet1.forwarding = 1
net.ipv4.conf.vnet2.forwarding = 1
net.ipv4.conf.vnet3.forwarding = 1
net.ipv4.conf.vnet4.forwarding = 1
net.ipv4.conf.wlp110s0.forwarding = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1

I noticed this message in dmesg and thought it might be instructive:

nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

1 Answer

• Iptables is a frontend to kernel netfilter hooks.

• All these clients use the same netfilter hooks to deliver verdicts on packets, I do not think they interfere with each other.

BPF for conventional firewall tasks is bpfilter, but it is relatively new, and still hasn't merged into mainline kernel AFAIK.

What we have now is xt-bpf in iptables-extensions, I think this is what you want.

The kernel Netfilter hookpoint does not have good BPF support, what a shame... Traffic Control BPF (tc-ebpf) has good functionality in dropping and modifying packets, but the hook point isn't as convenient.

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy