Skip to content

Instantly share code, notes, and snippets.

Last active August 5, 2022 17:54
Show Gist options
  • Save shekhar-sharma/c847462847d4535cea6f90e612f42f1b to your computer and use it in GitHub Desktop.
Save shekhar-sharma/c847462847d4535cea6f90e612f42f1b to your computer and use it in GitHub Desktop.
Google Summer of Code 2019 : Shekhar Sharma, Netfilter Organisation

This is the summary of the work done by Shekhar Sharma for the netfilter project during the Google Summer of Code 2019.

My work was concentrated over the command line tool 'nftables', built and maintained by the netfilter organisation as the successor to 'iptables'. I primarily focused on strengthening the testing infrastructure and extending the GeoIP feature for nftables.

Nftables is a command line tool which enables the users to configure their firewall by building tables,chains and rules to filter the packets that flow through the computer.

To install nftables, one can clone the repository from this link.

git clone

Nftables needs these pre-requisites to work correctly.

After cloning, the user needs to run these commands to install nftables:

make install

To check if the nftables tool is installed or not, one can type:

nft --help

if the terminal gives an output like the following:

Usage: nft [ options ] [ cmds... ]

  -h, --help			Show this help
  -v, --version			Show version information

then nft is sucessfully installed.

I helped in implementing the geoip feature for nftables, like there is in iptables.Particularly I wrote the script under nftables/files. The script makes use of the GeoLite2 database by MaxMind and helps the user to filter packets to and from different countries and continents. The user can download the geoip database with the help of the --download option of the script. So, to download the database,

python3 --download

The output will be as follows:

Downloading GeoIP CSV files,
Please wait, this may take a moment.

The script downloads the zipped folder from the online database which is updated every month by MaxMind. The downloaded folder is then unzipped using the unzip package of python.

After downloading, the user can use the same script to parse the csv files and generate a 'geoip.nft' that can be included in their ruleset. To do so,one has to use the options:

  • --file-location
  • --file-ipv4

The first option is used to specify the csv file which contains the information about the location and geoip of different countries and the latter is used to specify the csv file which contains the information about the ipv4 ip addresses and their country of origin. (Both the options are essential to run the script successfully)

To run the script, one can:

python3 --file-ipv4 [IPv4] --file-location [LOCATIONS]

[LOCATION] - the csv file containing location info [IPv4] - the csv file containing IPv4 info

For example:

python3 --file-location GeoLite2-Country-CSV_20190813/GeoLite2-Country-Locations-en.csv --file-ipv4 GeoLite2-Country-CSV_20190813/GeoLite2-Country-Blocks-IPv4.csv

The output should be:

Creating geoip.nft


After which, a new geoip.nft file will be created under nftables/files. The user can use this file in the ruleset as follows:

                include "geoip.nft"
                chain CHAINNAME{

The users can also refer to the --help option to see the usage of different options which are available with the script.

python3 --help

Other than the script, I also submitted patches for adding the netns feature to the test file of nftables to test the rules in a specefic network namespace.

Also, as python2 will soon reach end-of-life, I also converted all the python files in the nftables repository to run on both python2 and python3.

Next Steps:

  • The script generates 'geoip.nft' file which contains information ablut the IPv4 ip adressess, I will further extend that to support IPv6 ip addresses as well.
  • The interface of the script will be updated to increase verbosity.

The patches which i submitted for the above mentioned work can be found here.

I would like to acknowledge the guidance provided by Pablo Neira Ayuso, Phil Sutter, Arturo Borrero Gonzalez and the whole netfilter family.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment