[clug] Fwd: Debian Buster -Which firewall by default? iptables or nftables ? The ebtables program is a filtering tool for a Linux-based bridging firewall.

Wed Jul 24 13:05:38 UTC 2019

Thanks Steve (and Bob) for responding.

I was lost a bit for a number of reasons, including that I am not familiar with the term "user space" but once I read http://www.linfo.org/kernel_space.html it became clear.

https://wiki.debian.org/nftables
Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem).

I still am a bit confused by the term "layer", in the above statement "iptables-nft layer", does the word "layer" have more significance that just the word "layer" as in "the jam and cream layer in a chocolate cake really makes it yummy", or "put a layer of topsoil on your yard before applying the new turf". For example, does the word imply one of the OSI layers? Just like in Object Oriented Programing, words can inherit too much implied meaning.

https://en.wikipedia.org/wiki/OSI_model
The model partitions a communication system into abstraction layers.

Thanks, this is definitely an interesting topic. If I ever get to the point I can configure a firewall/router appliance using nftables, I will be pleased with myself (as I would then know a lot more that I currently do).

On Wednesday, 24-07-2019 at 18:04 Steve Walsh via linux wrote:
> On 24/7/19 4:15 pm, George at Clug via linux wrote:
> > Hi guys,  
> >
> > Surely someone could help explain a bit further on what is happening with iptables in Debian?
>
> Background
>
> Iptables is the user space tool to manipulate firewall rules.  Over the
> years, people have used iptables to refer to both the user space tool,
> and to netfilter, the kernel-level components that inspect packets and
> take actions on them.

I think Bob mentioned something about iptables/netfilter being separate, a long time ago in one of his talks, but I did not fully understand.

I guess nftables has two components, user space (nft) and kernel space (nftables), with the kernel space nftables replacing netfilter.

http://www.linfo.org/kernel_space.html
System memory in Linux can be divided into two distinct regions: kernel space and user space.
User space is that set of memory locations in which user processes (i.e., everything other than the kernel) run.
Kernel space can be accessed by user processes only through the use of system calls.

https://en.wikipedia.org/wiki/Nftables
nftables is configured via the user-space utility nft while netfilter is configured via the utilities iptables, ip6tables, arptables and ebtables frameworks.

https://packages.debian.org/buster/nftables 
Package: nftables (0.9.0-2)
This software provides [nftables] and the nft userspace command line tool.

However if it is correct, I would prefer to replace the statement "nftables replaces the old popular iptables, ip6tables, arptables and ebtables" with "the nftables package replaces the old popular iptables, ip6tables, arptables and ebtables user space programs with the user space program nft, and in the kernel space, [nftables] to replace netfilter". Just not sure if the word [nftables] is correct or if the kernel space part of nftables has its own name? See "nftables is supposed to replace certain parts of netfilter, while keeping and reusing most of it" in https://en.wikipedia.org/wiki/Nftables

However I think this fellow is confused, and he confuses me (I have read else where that iptables works in the user-space, not the kernel-space)? I think Wikipedia is correct (which is the same as Steve was telling me).
https://www.experts-exchange.com/questions/29050086/nftables-iptables-and-netfilter-question.html
2. Both nftables + iptables work in kernel space.

https://en.wikipedia.org/wiki/Iptables
iptables is a user-space utility program that allows a system administrator to configure the tables[2] provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.

While maybe not wrong, this web page does not explain the full story, that is, misses out explaining  the role of netfiler. At least it explains the user-space utility is nft.
https://wiki.gentoo.org/wiki/Nftables
nftables is the successor to iptables. It replaces the existing iptables, ip6tables, arptables, and ebtables framework. It uses the Linux kernel and a new userspace utility called nft. nftables provides a compatibility layer for the ip(6)tables and framework.

>
> nftables is the kernel-level component to replace netfilter. To keep
> some compatibility in place, iptables will still talk to netfilter, but
> there's a new tool a' comin'.
>
> Why change the tool? At the moment, the iptables firewall code has so
> much protocol specific logic built into the code it's replicated 4
> times, once for ipv4, again for ipv6, a third time for arp, and lastly a
> 4th time for ethernet bridging control.  Each of those kernel sections
> has a tool of their own (iptables, ip6tables, arptables and ebtables).

I would have created separate services for handling iptables (v4 & v6), arptables and ebtables as I see these are quite different functions, like DNS is a different function, which all have to do with networking. But then I don't know how closely iptables, arptables and ebtables are intertwined in their processes.

Not having used ebtables, I do not have a good grasp on what it does or why it is used, from below, I guess "bridging" ?

https://linux.die.net/man/8/ebtables
ebtables is an application program used to set up and maintain the tables of rules (inside the Linux kernel) that inspect Ethernet frames. It is analogous to the iptables application, but less complicated, due to the fact that the Ethernet protocol is much simpler than the IP protocol.
https://ebtables.netfilter.org/

The ebtables program is a filtering tool for a Linux-based bridging firewall. It enables transparent filtering of network traffic passing through a Linux bridge. The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers. Advanced logging, MAC DNAT/SNAT and brouter facilities are also included.

The ebtables tool can be combined with the other Linux filtering tools (iptables, ip6tables and arptables) to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel.

The ebtables and arptables codebase is maintained by the netfilter developers, who were so kind to take over maintenance of the software. This website is kept mainly as a documentation reference.

> There was some attempt to consolidate the bits that could be
> de-duplicated into x_tables, but that nugget only helps you pick apart
> what's happening, and won't win you any points at pub trivia.
>
> From the wikipedia page for nftables
>
> '/The nftables kernel engine adds a simple virtual machine into the
> Linux kernel which is able to execute bytecode to inspect a network
> packet and make decisions on how that packet should be handled. The
> operations implemented by this virtual machine are intentionally made
> basic. //
> /
>
> /It can get data from the packet itself, have a look at the associated
> metadata (inbound interface, for example), and manage connection
> tracking data. //
> /
>
> /Arithmetic, bitwise and comparison operators can be used for making
> decisions based on that data. The virtual machine is also capable of
> manipulating sets of data (typically IP addresses), allowing multiple
> comparison operations to be replaced with a single set lookup/'
>
> '/nftables also offers an improved userspace API that allows atomic
> replacements of one or more firewall rules within a single Netlink
> transaction. That speeds up firewall configuration changes for setups
> having large rulesets; it can also help in avoiding race conditions
> while the rule changes are being executed. nftables also includes
> compatibility features to ease transition from previous firewalls,
> command line utilities to convert rules in the iptables format, and
> syntax compatible versions of iptables commands that use the nftables
> backend/'.
>
> When the doco tells you Buster uses nf_tables and not iptables, it's
> talking about the kernel modules.
>
> When you twiddle iptables in alternatives, you're changing which tool to
> manipulate the firewall at a kernel level is assigned to the user-space
> command "iptables".
>
> The default starting with Debian Buster:
>
> # update-alternatives --set iptables /usr/sbin/iptables-nft
> # update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
> # update-alternatives --set arptables /usr/sbin/arptables-nft
> # update-alternatives --set ebtables /usr/sbin/ebtables-nft
>
> Switching to the legacy version:
>
> # update-alternatives --set iptables /usr/sbin/iptables-legacy
> # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
> # update-alternatives --set arptables /usr/sbin/arptables-legacy
> # update-alternatives --set ebtables /usr/sbin/ebtables-legacy
>
>
> HTH, and I'm sure someone will let us know if I've gotten any of this wrong.
>
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>