Skip to content

Instantly share code, notes, and snippets.

@FirefighterBlu3

FirefighterBlu3/nftables.py startup

Created February 24, 2016 01:40
Show Gist options
  • Save FirefighterBlu3/4df572167e0ea2126b63 to your computer and use it in GitHub Desktop.
Save FirefighterBlu3/4df572167e0ea2126b63 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
nftables.py startup
from pyroute2.netlink import nla
from pyroute2.netlink import NLA_F_NESTED
from pyroute2.netlink import NLA_F_NET_BYTEORDER
from pyroute2.netlink.nfnetlink import nfgen_msg
NFT_TABLE_MAXNAMELEN = 32
NFT_CHAIN_MAXNAMELEN = 32
NFT_USERDATA_MAXLEN = 256
NFT_MSG_NEWTABLE = 1
NFT_MSG_GETTABLE = 2
NFT_MSG_DELTABLE = 3
NFT_MSG_NEWCHAIN = 4
NFT_MSG_GETCHAIN = 5
NFT_MSG_DELCHAIN = 6
NFT_MSG_NEWRULE = 7
NFT_MSG_GETRULE = 8
NFT_MSG_DELRULE = 9
NFT_MSG_NEWSET = 10
NFT_MSG_GETSET = 11
NFT_MSG_DELSET = 12
NFT_MSG_NEWSETELEM = 13
NFT_MSG_GETSETELEM = 14
NFT_MSG_DELSETELEM = 15
NFT_MSG_NEWGEN = 16
NFT_MSG_GETGEN = 17
NFT_MSG_MAX = 18
'''
* The possible flags in the netlink header are:
*
* - R, that indicates that NLM_F_REQUEST is set.
* - M, that indicates that NLM_F_MULTI is set.
* - A, that indicates that NLM_F_ACK is set.
* - E, that indicates that NLM_F_ECHO is set.
*
* The lack of one flag is displayed with '-'. On the other hand, the possible
* attribute flags available are:
*
* - N, that indicates that NLA_F_NESTED is set.
* - B, that indicates that NLA_F_NET_BYTEORDER is set.
cmd: list all sets
https://github.com/Mic92/nftables/blob/master/src/main.c:184: netlink_genid_get() -> mnl_genid_get() -> nftnl_nlmsg_build_hdr();
nftnl_nlmsg_build_hdr(0x7ffcdeb88610, 16, 0, 0) = 0x7ffcdeb88610
mnl_socket_get_portid(0x20de360, 0x7ffcdeb88610, 20, 0x41ab20) = 0
mnl_nlmsg_fprintf(0x7fa1f4265640, 0x7ffcdeb88610, 20, 4
---------------- ------------------
| 0000000020 | | message length |
| 02576 | R--- | | type | flags | NFT_MSG_GETGEN
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 00 | | extra header |
---------------- ------------------
mnl_socket_sendto(0x20de360, 0x7ffcdeb88610, 20, 1024) = 20
getpagesize() = 4096
mnl_socket_recvfrom(0x20de360, 0x7ffcdeb775c0, 0x10fff, 0x7fa1f3fafed3) = 28
mnl_cb_run(0x7ffcdeb775c0, 28, 0, 0 <unfinished ...>
mnl_nlmsg_get_payload(0x7ffcdeb775c0, 0, 1, 1) = 0x7ffcdeb775d0
<... mnl_cb_run resumed> ) = 1
mnl_socket_recvfrom(0x20de360, 0x7ffcdeb775c0, 0x10fff, 0) = -1
__errno_location() = 0x7fa1f4d72698
getpagesize() = 4096
nftnl_table_list_alloc(0x20de360, 0, 8192, 0) = 0x20de590
nftnl_nlmsg_build_hdr(0x7ffcdeb885e0, 1, 0, 768) = 0x7ffcdeb885e0
mnl_socket_get_portid(0x20de360, 0x7ffcdeb885e0, 20, 0x41aec0) = 0
mnl_nlmsg_fprintf(0x7fa1f4265640, 0x7ffcdeb885e0, 20, 4
---------------- ------------------
| 0000000020 | | message length |
| 02561 | R--- | | type | flags | this could be NFTA_SET_ELEM_LIST_TABLE or NFT_MSG_GETTABLE
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 00 | | extra header |
---------------- ------------------
mnl_socket_sendto(0x20de360, 0x7ffcdeb885e0, 20, 1024) = 20
getpagesize() = 4096
mnl_socket_recvfrom(0x20de360, 0x7ffcdeb77590, 0x10fff, 0x7fa1f3fafed3) = 96
mnl_cb_run(0x7ffcdeb77590, 96, 0, 0 <unfinished ...>
mnl_nlmsg_get_payload(0x7ffcdeb77590, 0x20de590, 1, 1) = 0x7ffcdeb775a0
nftnl_table_alloc(0x7ffcdeb77590, 0x20de590, 19, 1) = 0x20de6c0
nftnl_table_nlmsg_parse(0x7ffcdeb77590, 0x20de6c0, 40, 5) = 0
nftnl_table_list_add_tail(0x20de6c0, 0x20de590, 2, 0x706c65) = 0x20de590
mnl_nlmsg_get_payload(0x7ffcdeb775c0, 0x20de590, 1, 0x706c01) = 0x7ffcdeb775d0
nftnl_table_alloc(0x7ffcdeb775c0, 0x20de590, 19, 0x706c01) = 0x20de710
nftnl_table_nlmsg_parse(0x7ffcdeb775c0, 0x20de710, 40, 5) = 0
nftnl_table_list_add_tail(0x20de710, 0x20de590, 2, 0x726574) = 0x20de6c0
<... mnl_cb_run resumed> ) = 1
mnl_socket_recvfrom(0x20de360, 0x7ffcdeb77590, 0x10fff, 0) = 20
mnl_cb_run(0x7ffcdeb77590, 20, 0, 0) = 0
nftnl_table_list_foreach(0x20de590, 0x411220, 0x7ffcdeb89670, 0 <unfinished ...>
calloc(184, 1) = 0x20de760
nftnl_table_get_u32(0x20de6c0, 1, 0x20de7e0, 0x20de800) = 2
nftnl_table_get_str(0x20de6c0, 0, 0x7ffcdeb89584, 0) = 0x20de6f0
__strdup(0x20de6f0, 0, 0x7ffcdeb89594, 0) = 0x20de820
nftnl_table_get_u32(0x20de6c0, 2, 0, 0x706c65) = 0
calloc(184, 1) = 0x20de840
nftnl_table_get_u32(0x20de710, 1, 0x20de8c0, 0x20de8c0) = 2
nftnl_table_get_str(0x20de710, 0, 0x7ffcdeb89584, 0) = 0x20de740
__strdup(0x20de740, 0, 0x7ffcdeb89594, 0) = 0x20de900
nftnl_table_get_u32(0x20de710, 2, 0, 0x726574) = 0
<... nftnl_table_list_foreach resumed> ) = 0
nftnl_table_list_free(0x20de590, 2, 0x20de760, 0) = 0x20de730
getpagesize() = 4096
nftnl_set_alloc(0x20de360, 2, 8192, 0x64f920) = 0x20de920
nftnl_nlmsg_build_hdr(0x7ffcdeb885e0, 10, 2, 772) = 0x7ffcdeb885e0
nftnl_set_set(0x20de920, 0, 0x20de820, 0) = 1
nftnl_set_nlmsg_build_payload(0x7ffcdeb885e0, 0x20de920, 0, 0) = 1
nftnl_set_free(0x20de920, 0x20de590, 5, 10) = 0
nftnl_set_list_alloc(0x7fa1f4264b70, 0, 0xffffffff, 0) = 0x20de590
mnl_socket_get_portid(0x20de360, 0x7ffcdeb885e0, 32, 0x41af40) = 0
mnl_nlmsg_fprintf(0x7fa1f4265640, 0x7ffcdeb885e0, 32, 4
---------------- ------------------
| 0000000032 | | message length |
| 02570 | R-A- | | type | flags | probably NFT_MSG_GETSET
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
|00009|--|00001| |len |flags| type|
| 68 65 6c 70 | | data | h e l p
| 00 7f 00 00 | | data |
---------------- ------------------
mnl_socket_sendto(0x20de360, 0x7ffcdeb885e0, 32, 1024) = 32
getpagesize() = 4096
mnl_socket_recvfrom(0x20de360, 0x7ffcdeb77590, 0x10fff, 0x7fa1f3fafed3) = 20
mnl_cb_run(0x7ffcdeb77590, 20, 0, 0) = 0
nftnl_set_list_foreach(0x20de590, 0x411b10, 0x7ffcdeb89670, 0) = 0
nftnl_set_list_free(0x20de590, 0x411b10, 0x7ffcdeb89670, 0) = 0x20de730
getpagesize() = 4096
nftnl_chain_list_alloc(0x20de360, 2, 8192, 0x20de730) = 0x20de590
nftnl_nlmsg_build_hdr(0x7ffcdeb885d0, 4, 2, 768) = 0x7ffcdeb885d0
mnl_socket_get_portid(0x20de360, 0x7ffcdeb885d0, 20, 0x41ae40) = 0
mnl_nlmsg_fprintf(0x7fa1f4265640, 0x7ffcdeb885d0, 20, 4
---------------- ------------------
| 0000000020 | | message length |
| 02564 | R--- | | type | flags | probably NFT_MSG_GETCHAIN
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
---------------- ------------------
mnl_socket_sendto(0x20de360, 0x7ffcdeb885d0, 20, 1024) = 20
getpagesize() = 4096
mnl_socket_recvfrom(0x20de360, 0x7ffcdeb77580, 0x10fff, 0x7fa1f3fafed3) = 20
mnl_cb_run(0x7ffcdeb77580, 20, 0, 0) = 0
nftnl_chain_list_foreach(0x20de590, 0x411120, 0x7ffcdeb89670, 0) = 0
nftnl_chain_list_free(0x20de590, 0x411120, 0x7ffcdeb89670, 0) = 0x20de730
getpagesize() = 4096
nftnl_rule_list_alloc(0x20de360, 2, 8192, 0x20de730) = 0x20de590
nftnl_nlmsg_build_hdr(0x7ffcdeb885d0, 7, 2, 768) = 0x7ffcdeb885d0
mnl_socket_get_portid(0x20de360, 0x7ffcdeb885d0, 20, 0x41adc0) = 0
mnl_nlmsg_fprintf(0x7fa1f4265640, 0x7ffcdeb885d0, 20, 4
---------------- ------------------
| 0000000020 | | message length |
| 02567 | R--- | | type | flags | probably NFT_MSG_GETRULE
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
---------------- ------------------
mnl_socket_sendto(0x20de360, 0x7ffcdeb885d0, 20, 1024) = 20
getpagesize() = 4096
mnl_socket_recvfrom(0x20de360, 0x7ffcdeb77580, 0x10fff, 0x7fa1f3fafed3) = 20
mnl_cb_run(0x7ffcdeb77580, 20, 0, 0) = 0
nftnl_rule_list_foreach(0x20de590, 0x4112c0, 0x7ffcdeb89670, 0) = 0
nftnl_rule_list_free(0x20de590, 0x4112c0, 0x7ffcdeb89670, 0) = 0x20de730
getpagesize() = 4096
nftnl_set_alloc(0x20de360, 2, 8192, 0x20de730) = 0x20de920
nftnl_nlmsg_build_hdr(0x7ffcdeb885e0, 10, 2, 772) = 0x7ffcdeb885e0
nftnl_set_set(0x20de920, 0, 0x20de900, 0) = 1
nftnl_set_nlmsg_build_payload(0x7ffcdeb885e0, 0x20de920, 0, 0) = 1
nftnl_set_free(0x20de920, 0x20de590, 7, 14) = 0
nftnl_set_list_alloc(0x7fa1f4264b70, 0, 0xffffffff, 0) = 0x20de590
mnl_socket_get_portid(0x20de360, 0x7ffcdeb885e0, 32, 0x41af40) = 0
mnl_nlmsg_fprintf(0x7fa1f4265640, 0x7ffcdeb885e0, 32, 4
---------------- ------------------
| 0000000032 | | message length |
| 02570 | R-A- | | type | flags | probably NFT_MSG_GETSET
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
|00011|--|00001| |len |flags| type|
| 66 69 6c 74 | | data | f i l t
| 65 72 00 00 | | data | e r
---------------- ------------------
mnl_socket_sendto(0x20de360, 0x7ffcdeb885e0, 32, 1024) = 32
getpagesize() = 4096
mnl_socket_recvfrom(0x20de360, 0x7ffcdeb77590, 0x10fff, 0x7fa1f3fafed3) = 72
mnl_cb_run(0x7ffcdeb77590, 72, 0, 0 <unfinished ...>
mnl_nlmsg_get_payload(0x7ffcdeb77590, 0x20de590, 1, 1) = 0x7ffcdeb775a0
nftnl_set_alloc(0x7ffcdeb77590, 0x20de590, 19, 1) = 0x20de920
nftnl_set_nlmsg_parse(0x7ffcdeb77590, 0x20de920, 0x20de968, 0x20de980) = 0
nftnl_set_list_add_tail(0x20de920, 0x20de590, 155, 2) = 0x20de590
<... mnl_cb_run resumed> ) = 1
mnl_socket_recvfrom(0x20de360, 0x7ffcdeb77590, 0x10fff, 0) = 20
mnl_cb_run(0x7ffcdeb77590, 20, 0, 0) = 0
nftnl_set_list_foreach(0x20de590, 0x411b10, 0x7ffcdeb89670, 0 <unfinished ...>
nftnl_set_get_u32(0x20de920, 3, 0x7ffcdeb89670, 0) = 7
nftnl_set_get_u32(0x20de920, 2, 0x7ffcdeb89574, 0) = 0
calloc(192, 1) = 0x20de990
nftnl_set_get_u32(0x20de920, 7, 0, 0) = 2
nftnl_set_get_str(0x20de920, 0, 0x7ffcdeb89574, 0) = 0x20de740
__strdup(0x20de740, 0, 0x7ffcdeb89584, 0) = 0x20dea60
nftnl_set_get_str(0x20de920, 1, 0, 0x726574) = 0x20de6f0
__strdup(0x20de6f0, 1, 0x7ffcdeb89584, 0) = 0x20dea80
nftnl_set_get_u32(0x20de920, 4, 0, 0x7469702d6c6961) = 4
nftnl_set_get_u32(0x20de920, 2, 0x7ffcdeb89574, 0) = 0
nftnl_set_is_set(0x20de920, 6, 0x7ffcdeb89574, 0) = 0
nftnl_set_is_set(0x20de920, 11, 0x7ffcdeb89574, 6) = 2048
nftnl_set_is_set(0x20de920, 12, 0x7ffcdeb89574, 11) = 4096
nftnl_set_is_set(0x20de920, 9, 0x7ffcdeb89574, 12) = 512
nftnl_set_is_set(0x20de920, 10, 0x7ffcdeb89574, 9) = 1024
<... nftnl_set_list_foreach resumed> ) = 0
nftnl_set_list_free(0x20de590, 10, 0x7ffcdeb89678, 10) = 0x20de6e0
nftnl_set_alloc(0x20de9a0, 0x20de9a0, 0x437800, 0x20de990) = 0x20de920
nftnl_set_set_u32(0x20de920, 7, 2, 0x20de980) = 128
nftnl_set_set_str(0x20de920, 0, 0x20dea60, 7) = 1
nftnl_set_set_str(0x20de920, 1, 0x20dea80, 0) = 2
nftnl_set_set_u32(0x20de920, 8, 1, 1) = 256
getpagesize() = 4096
nftnl_set_get_u32(0x20de920, 7, 8192, 8) = 2
nftnl_nlmsg_build_hdr(0x7ffcdeb885d0, 13, 2, 772) = 0x7ffcdeb885d0
nftnl_set_nlmsg_build_payload(0x7ffcdeb885d0, 0x20de920, 0, 0) = 387
mnl_socket_get_portid(0x20de360, 0x7ffcdeb885d0, 60, 0x41ad50) = 0
mnl_nlmsg_fprintf(0x7fa1f4265640, 0x7ffcdeb885d0, 60, 4
---------------- ------------------
| 0000000060 | | message length |
| 02573 | R-A- | | type | flags | probably NFT_MSG_GETSETELEM
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
|00011|--|00001| |len |flags| type|
| 66 69 6c 74 | | data | f i l t
| 65 72 00 00 | | data | e r
|00017|--|00002| |len |flags| type|
| 44 46 57 2d | | data | D F W
| 6d 61 69 6c | | data | m a i l
| 2d 70 69 74 | | data | p i t
| 00 19 14 12 | | data |
|00008|--|00010| |len |flags| type|
| 00 00 00 01 | | data |
---------------- ------------------
mnl_socket_sendto(0x20de360, 0x7ffcdeb885d0, 60, 1024) = 60
getpagesize() = 4096
mnl_socket_recvfrom(0x20de360, 0x7ffcdeb77580, 0x10fff, 0x7fa1f3fafed3) = 76
mnl_cb_run(0x7ffcdeb77580, 76, 0, 0 <unfinished ...>
mnl_nlmsg_get_payload(0x7ffcdeb77580, 0x20de920, 1, 1) = 0x7ffcdeb77590
nftnl_set_elems_nlmsg_parse(0x7ffcdeb77580, 0x20de920, 19, 1) = 0
<... mnl_cb_run resumed> ) = 0
calloc(128, 1) = 0x20deaa0
nftnl_set_elem_foreach(0x20de920, 0x412700, 0x7ffcdeb89670, 0x20deb00) = 0
nftnl_set_free(0x20de920, 0x412700, 0x7ffcdeb89670, 0x20deb00) = 0
getpagesize() = 4096
nftnl_chain_list_alloc(0x20de360, 2, 8192, 0) = 0x20de6f0
nftnl_nlmsg_build_hdr(0x7ffcdeb885d0, 4, 2, 768) = 0x7ffcdeb885d0
mnl_socket_get_portid(0x20de360, 0x7ffcdeb885d0, 20, 0x41ae40) = 0
mnl_nlmsg_fprintf(0x7fa1f4265640, 0x7ffcdeb885d0, 20, 4
---------------- ------------------
| 0000000020 | | message length |
| 02564 | R--- | | type | flags | probably NFT_MSG_GETCHAIN
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
---------------- ------------------
mnl_socket_sendto(0x20de360, 0x7ffcdeb885d0, 20, 1024) = 20
getpagesize() = 4096
mnl_socket_recvfrom(0x20de360, 0x7ffcdeb77580, 0x10fff, 0x7fa1f3fafed3) = 20
mnl_cb_run(0x7ffcdeb77580, 20, 0, 0) = 0
nftnl_chain_list_foreach(0x20de6f0, 0x411120, 0x7ffcdeb89670, 0) = 0
nftnl_chain_list_free(0x20de6f0, 0x411120, 0x7ffcdeb89670, 0) = 0x20de580
getpagesize() = 4096
nftnl_rule_list_alloc(0x20de360, 2, 8192, 0x20de580) = 0x20de6f0
nftnl_nlmsg_build_hdr(0x7ffcdeb885d0, 7, 2, 768) = 0x7ffcdeb885d0
mnl_socket_get_portid(0x20de360, 0x7ffcdeb885d0, 20, 0x41adc0) = 0
mnl_nlmsg_fprintf(0x7fa1f4265640, 0x7ffcdeb885d0, 20, 4
---------------- ------------------
| 0000000020 | | message length |
| 02567 | R--- | | type | flags | probably NFT_MSG_GETRULE
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
---------------- ------------------
output:
set DFW-mail-pit {
type ipv4_addr
}
'''
class nftables_msg(nfgen_msg):
nla_map = ((
))
@svinota
Copy link

svinota commented Feb 24, 2016 

| 02567 | R--- |         | type | flags |                     probably NFT_MSG_GETRULE

2567 == 0xa07 == (NFNL_SUBSYS_IPSET << 8) | 7
7 == NFT_MSG_GETRULE

etc. I submitted some draft code for messages, see in the repo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment