1

I'm on Ubuntu 20.10 trying to do some routing config for my virtual network, and I'm confused about the interactions between the 3 main types of firewall technology used in modern Linux distros, namely:

  • iptables
  • nft netfilter
  • bpf berkeley packet filter

Can someone please answer the following:

  • How do I check to see which ones are installed?
  • Can all 3 of these firewalls peacefully co-exist on one client? If not, how can I safely uninstall one or another?
  • What layers of translation are included? e.g. if I have an iptables executable on Ubuntu 20.10, is that actually iptables the firewall, or an interface for netfilter api?
  • Is there a program for bpf api that is meant for conventional firewall tasks? (I've seen plenty of tracing programs, but nothing intended for firewall)

Also, to complicate things, I compiled my own 5.10.11 kernel based on 5.8.0-40-generic .config file with all netfilter rules enabled. Could this potentially create any roadblocks for me going forward?

Because most modules are compiled in-kernel lsmod does not give a typical output, but I'll post it anyway. I can post .config if that would help.

Here's my current lsmod as it relates to netfilter:

# lsmod | egrep 'net|filter|table|nft|ipt|bpf'

vmnet                  53248  13
ipt_REJECT             16384  0
nft_compat             20480  0
dell_wmi_descriptor    20480  2 dell_wmi,dell_smbios
ip_tables              28672  0
x_tables               45056  10 xt_conntrack,xt_cgroup,nft_compat,xt_multiport,xt_tcpudp,xt_owner,ipt_REJECT,ip_tables,xt_MASQUERADE,xt_mark

Here's my current ip forwarding rules:

# sysctl -a | grep forward | grep '= 1'

sysctl: reading key "kernel.spl.hostid"
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.eno1.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.ovs-netdev.forwarding = 1
net.ipv4.conf.ovsdpdkbr0.forwarding = 1
net.ipv4.conf.tunl0.forwarding = 1
net.ipv4.conf.virbr0.forwarding = 1
net.ipv4.conf.virbr0-nic.forwarding = 1
net.ipv4.conf.vmnet1.forwarding = 1
net.ipv4.conf.vmnet8.forwarding = 1
net.ipv4.conf.vnet0.forwarding = 1
net.ipv4.conf.vnet1.forwarding = 1
net.ipv4.conf.vnet2.forwarding = 1
net.ipv4.conf.vnet3.forwarding = 1
net.ipv4.conf.vnet4.forwarding = 1
net.ipv4.conf.wlp110s0.forwarding = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1

I noticed this message in dmesg and thought it might be instructive:

nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
AveryFreeman
  • 1,206
  • 15
  • 28

1 Answers1

0

  • Iptables is a frontend to kernel netfilter hooks.

  • All these clients use the same netfilter hooks to deliver verdicts on packets, I do not think they interfere with each other.

BPF for conventional firewall tasks is bpfilter, but it is relatively new, and still hasn't merged into mainline kernel AFAIK.

What we have now is xt-bpf in iptables-extensions, I think this is what you want.

The kernel Netfilter hookpoint does not have good BPF support, what a shame... Traffic Control BPF (tc-ebpf) has good functionality in dropping and modifying packets, but the hook point isn't as convenient.

Anthea Chen
  • 1
  • Kernel flags xanmod-5.16 (CONFIG_ omitted): BPF=y HAVE_EBPF_JIT=y ARCH_WANT_DEFAULT_BPF_JIT=y # BPF subsystem BPF_SYSCALL=y BPF_JIT=y BPF_JIT_ALWAYS_ON=y BPF_JIT_DEFAULT_ON=y BPF_UNPRIV_DEFAULT_OFF=y # BPF_PRELOAD is not set # end of BPF subsystem CGROUP_BPF=y IPV6_SEG6_BPF=y NETFILTER_XT_MATCH_BPF=m BPFILTER=y BPFILTER_UMH=m NET_CLS_BPF=m NET_ACT_BPF=m BPF_STREAM_PARSER=y LWTUNNEL_BPF=y TEST_BPF=m – AveryFreeman Mar 15 '22 at 06:16