Page MenuHomePhabricator
Create Task
Maniphest T509

Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables
Open, NormalPublic
Actions

Description

nftables is the biggest change in the linux firewalling system in more than a decade.

It promises simplified rulesets, unification of IPv4/IPv6 rules and superior performance to iptables. It also allows backward compatibility with iptables rules. There may be benefits to switching but also reasons for not: if it ain't broke don't fix it. Nonetheless its some food for thought.

Supported in recent kernels 3.13+ and packaged in Debian for Jessie and up.

https://en.wikipedia.org/wiki/Nftables
http://wiki.nftables.org/wiki-nftables/index.php/Main_Page
http://netfilter.org/projects/nftables/
http://ral-arturo.org/2018/06/16/nfws2018.html

Or Berkeley Packet Filter (BPF)?

https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/

IPv6 is coming in Tor:

TODO:

Details

Impact
Normal

Related Objects

Event Timeline

HulaHoop created this task.May 11 2016, 10:15 PM
Herald added subscribers: WhonixQubes, Patrick. · View Herald TranscriptMay 11 2016, 10:15 PM
Patrick added projects: whonix-gw-firewall, whonix-ws-firewall, vpn-firewall.May 11 2016, 10:25 PM
Patrick added a subscriber: marmarek.
Patrick added a comment.EditedMay 11 2016, 10:30 PM

Yes, one day, nftables may be a good idea. Also, one day, IPv6 support may not be avoided if it is so widespread that Whonix would stand out without having IPv6 support.

Whonix is still "essentially based on the https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy wiki page".

ipv6 / nftables is not something I am looking forward to. At the moment Whonix is well leak tested. There are leaks as obscure as the following one:
FIN ACK / RST ACK - Leak Test

And I wouldn't know who would have the skills and time to create an nftables based Whonix firewall that works at first as good as our current one.

So I propose to avoid nftables / IPv6 as long as sanely possible.

EDIT:
I would like to finish other work in preparation. Namely, packaging corridor and enabling testers to easily set up it as leak testing gateway in front of Whonix-Gateway. (corridor is now ready.)

Patrick mentioned this in T524: Using corridor, a Tor traffic whitelisting gateway with Whonix KVM.Jul 20 2016, 12:56 AM
Patrick updated the task description. (Show Details)Jan 30 2017, 10:04 AM
Patrick updated the task description. (Show Details)
marmarek added a comment.Jan 30 2017, 11:06 AM

Please note that Qubes 4.0 will use nftables (if available):
https://github.com/QubesOS/qubes-issues/issues/974#issuecomment-251825457

But it shouldn't be a problem to use iptables at the same time - thanks to compatibility layer. Using nftables in Qubes will allow to enable qubes-firewall in Whonix Gateway without breaking firewall installed by Whonix - at least in theory.

Patrick updated the task description. (Show Details)Jan 31 2017, 8:23 PM
Patrick added a project: iptables.Feb 5 2017, 2:34 PM
Patrick updated the task description. (Show Details)Feb 5 2017, 4:45 PM
Patrick updated the task description. (Show Details)Feb 5 2017, 4:56 PM
iry added a subscriber: iry.Jan 22 2018, 10:04 PM
Patrick updated the task description. (Show Details)Jun 18 2018, 2:23 PM
HulaHoop added a comment.Jun 20 2018, 1:03 PM

nftables transition info:

http://ral-arturo.org/2018/06/16/nfws2018.html

HulaHoop added a comment.Dec 3 2018, 5:02 PM

https://researchut.com/post/migrating-firewall-to-nftables/

HulaHoop added a comment.Oct 17 2019, 5:29 PM

Starting with Bullseye nftables will be the default:

https://ral-arturo.org/2019/10/14/debian-netfilter.html

Patrick added a comment.Oct 21 2019, 5:33 AM

NonaSuomy:

Added requested NFTables example from duclicsic #netfilter freenode.

Patrick updated the task description. (Show Details)Dec 11 2019, 1:09 AM

Or skip nftables and use Berkeley Packet Filter (BPF)?

https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/

Patrick renamed this task from Consider nftables as a replacement for iptables to Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.Dec 11 2019, 1:11 AM
Patrick added a subscriber: madaidan.
marmarek added a comment.Dec 11 2019, 2:35 AM

It looks like bpfilter is in rather early stages, and it's few years until we'll see it in Debian.

ak88 added a subscriber: ak88.Aug 9 2021, 5:22 PM

Any updates on this?

In T509#9147, @Patrick wrote:

And I wouldn't know who would have the skills and time to create an nftables based Whonix firewall that works at first as good as our current one.

I've actually been working with nftables and IPv6 quite a bit lately. Maybe I could offer some insight?

Nftables is essentially just an alternative syntax to iptables. It uses the same core engine (netfilter) under the hood, and has the same symantics as iptables. There are even automated tools for converting between the two.

For example, here's what the current Whonix Workstation firewall would look like (on my machine at least) in nftables:

table ip filter {
	chain INPUT {
		type filter hook input priority 0; policy drop;
		ct state invalid counter packets 0 bytes 0 drop
		ct state invalid counter packets 0 bytes 0 drop
		tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack counter packets 0 bytes 0 drop
		tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 drop
		tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 drop
		ip frag-off & 8191 != 0 counter packets 0 bytes 0 drop
		tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 drop
		tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 drop
		iifname "lo" counter packets 0 bytes 0 accept
		ct state established counter packets 0 bytes 0 accept
		ip protocol tcp counter packets 0 bytes 0 reject with tcp reset
		counter packets 0 bytes 0 reject
	}

	chain FORWARD {
		type filter hook forward priority 0; policy drop;
		counter packets 0 bytes 0 drop
	}

	chain OUTPUT {
		type filter hook output priority 0; policy drop;
		ct state invalid counter packets 0 bytes 0 reject with icmp type admin-prohibited
		ct state invalid counter packets 0 bytes 0 reject with icmp type admin-prohibited
		tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | ack counter packets 0 bytes 0 reject with icmp type admin-prohibited
		tcp flags & (fin | syn) == fin | syn counter packets 0 bytes 0 reject with icmp type admin-prohibited
		tcp flags & (syn | rst) == syn | rst counter packets 0 bytes 0 reject with icmp type admin-prohibited
		ip frag-off & 8191 != 0 counter packets 0 bytes 0 reject with icmp type admin-prohibited
		tcp flags & (fin | syn | rst | psh | ack | urg) == fin | syn | rst | psh | ack | urg counter packets 0 bytes 0 reject with icmp type admin-prohibited
		tcp flags & (fin | syn | rst | psh | ack | urg) == 0x0 counter packets 0 bytes 0 reject with icmp type admin-prohibited
		oifname "lo" counter packets 0 bytes 0 accept
		ip daddr 10.137.0.8 udp dport domain counter packets 0 bytes 0 accept
		ip daddr 10.152.152.10 udp dport domain counter packets 0 bytes 0 accept
		ip daddr 10.139.1.1 udp dport domain counter packets 0 bytes 0 accept
		ip daddr 10.139.1.2 udp dport domain counter packets 0 bytes 0 accept
		ip protocol != tcp counter packets 0 bytes 0 reject
		counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 reject
	}
}

There's also iptables-nft, which converts iptables commands into nftables commands on the fly. In theory you could instantly convert a whole system just by symlinking it.

Is there something I'm missing here? The only catch I can think of is that nftables doesn't directly support ipset, which is used by corridor. We would have to patch corridor to use either ipset-translate or nftables native sets, or replace the ipset command with a shim. Still, it doesn't sound too difficult either way.

IPv6 is kind of a separate issue, is it not? I'm not sure what it has to do with migrating to nftables, other than that nftables supports unified rulesets for IPv4 and IPv6, and therefore it would be convenient to switch to nftables before adding IPv6 support. Don't get me wrong, I'd very much like to see IPv6 in Whonix at some point in the foreseeable future, whether it's with nftables or ip6tables. FWIW, at the moment Whonix is the main reason I haven't replaced my dual-stack setup with an IPv6+NAT64 setup. Nftables is not a requirement for IPv6 however.

Patrick added a comment.Aug 9 2021, 7:13 PM
In T509#20232, @ak88 wrote:

Any updates on this?

None.

In T509#9147, @Patrick wrote:

And I wouldn't know who would have the skills and time to create an nftables based Whonix firewall that works at first as good as our current one.

I've actually been working with nftables and IPv6 quite a bit lately. Maybe I could offer some insight?

Yes, please.

There's also iptables-nft, which converts iptables commands into nftables commands on the fly. In theory you could instantly convert a whole system just by symlinking it.

Well, in that case we could just replace calls to iptables to iptables-nft but that seems a bit pointless?

Current implementation:

Nftables is essentially just an alternative syntax to iptables. It uses the same core engine (netfilter) under the hood, and has the same symantics as iptables. There are even automated tools for converting between the two.

From that perspective we could even stick with iptables for many years to come? No real need to move to nftables?

Advantages of Whonix keeping iptables:

  • Years long tested in Whonix.
  • More people supposedly know iptables.

Other advantages for/against iptables/nftables that would speak for making such a major change?

The only catch I can think of is that nftables doesn't directly support ipset, which is used by corridor. We would have to patch corridor to use either ipset-translate or nftables native sets, or replace the ipset command with a shim. Still, it doesn't sound too difficult either way.

Could you discuss this please with corridor?

IPv6 is kind of a separate issue, is it not?

Yes.

Patrick added a comment.May 9 2023, 10:23 AM
Patrick added a comment.May 9 2023, 10:34 AM

https://www.kicksecure.com/wiki/Dev/Firewall_Refactoring#nftables

ls -la /usr/sbin/iptabels

/usr/sbin/iptables -> /etc/alternatives/iptables

ls -la /etc/alternatives/iptables

/etc/alternatives/iptables -> /usr/sbin/iptables-nft

In other words, iptabels is already symlinked to iptabels-nft anyhow. Therefore Whonix is already using iptabels-nft.

Patrick added a comment.May 15 2023, 5:23 PM

Some progress.

The appendix .nftables will probably be just transitional.

Patrick added a comment.May 15 2023, 6:21 PM

https://wiki.nftables.org/wiki-nftables/index.php/Scripting

Patrick added a comment.May 16 2023, 10:32 AM

https://wiki.nftables.org/wiki-nftables/index.php/Atomic_rule_replacement

Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer