Skip to content

Instantly share code, notes, and snippets.

@shekhar-sharma
Last active August 5, 2022 17:54
Show Gist options
  • Save shekhar-sharma/c847462847d4535cea6f90e612f42f1b to your computer and use it in GitHub Desktop.
Save shekhar-sharma/c847462847d4535cea6f90e612f42f1b to your computer and use it in GitHub Desktop.
Google Summer of Code 2019 : Shekhar Sharma, Netfilter Organisation

This is the summary of the work done by Shekhar Sharma for the netfilter project during the Google Summer of Code 2019.

My work was concentrated over the command line tool 'nftables', built and maintained by the netfilter organisation as the successor to 'iptables'. I primarily focused on strengthening the testing infrastructure and extending the GeoIP feature for nftables.

Nftables is a command line tool which enables the users to configure their firewall by building tables,chains and rules to filter the packets that flow through the computer.

To install nftables, one can clone the repository from this link.

git clone https://git.netfilter.org/nftables/

Nftables needs these pre-requisites to work correctly.

After cloning, the user needs to run these commands to install nftables:

sh autogen.sh
./configure
make
make install

To check if the nftables tool is installed or not, one can type:

nft --help

if the terminal gives an output like the following:

Usage: nft [ options ] [ cmds... ]

Options:
  -h, --help			Show this help
  -v, --version			Show version information
  ...
  ...
  ...

then nft is sucessfully installed.

I helped in implementing the geoip feature for nftables, like there is in iptables.Particularly I wrote the nft_geoip.py script under nftables/files. The script makes use of the GeoLite2 database by MaxMind and helps the user to filter packets to and from different countries and continents. The user can download the geoip database with the help of the --download option of the nft_geoip.py script. So, to download the database,

python3 nft_geoip.py --download

The output will be as follows:

Downloading GeoIP CSV files,
Please wait, this may take a moment.

The script downloads the zipped folder from the online database which is updated every month by MaxMind. The downloaded folder is then unzipped using the unzip package of python.

After downloading, the user can use the same script to parse the csv files and generate a 'geoip.nft' that can be included in their ruleset. To do so,one has to use the options:

  • --file-location
  • --file-ipv4

The first option is used to specify the csv file which contains the information about the location and geoip of different countries and the latter is used to specify the csv file which contains the information about the ipv4 ip addresses and their country of origin. (Both the options are essential to run the script successfully)

To run the script, one can:

python3 nft_geoip.py --file-ipv4 [IPv4] --file-location [LOCATIONS]

[LOCATION] - the csv file containing location info [IPv4] - the csv file containing IPv4 info

For example:

python3 nft_geoip.py --file-location GeoLite2-Country-CSV_20190813/GeoLite2-Country-Locations-en.csv --file-ipv4 GeoLite2-Country-CSV_20190813/GeoLite2-Country-Blocks-IPv4.csv

The output should be:

Creating geoip.nft

Done

After which, a new geoip.nft file will be created under nftables/files. The user can use this file in the ruleset as follows:

table TABLENAME{
                include "geoip.nft"
                chain CHAINNAME{
                              }
               }

The users can also refer to the --help option to see the usage of different options which are available with the script.

python3 nft_geoip.py --help

Other than the nft_geoip.py script, I also submitted patches for adding the netns feature to the test file of nftables to test the rules in a specefic network namespace.

Also, as python2 will soon reach end-of-life, I also converted all the python files in the nftables repository to run on both python2 and python3.

Next Steps:

  • The nft_geoip.py script generates 'geoip.nft' file which contains information ablut the IPv4 ip adressess, I will further extend that to support IPv6 ip addresses as well.
  • The interface of the script will be updated to increase verbosity.

The patches which i submitted for the above mentioned work can be found here.

I would like to acknowledge the guidance provided by Pablo Neira Ayuso, Phil Sutter, Arturo Borrero Gonzalez and the whole netfilter family.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment