This is the summary of the work done by Shekhar Sharma for the netfilter project during the Google Summer of Code 2019.
My work was concentrated over the command line tool 'nftables', built and maintained by the netfilter organisation as the successor to 'iptables'. I primarily focused on strengthening the testing infrastructure and extending the GeoIP feature for nftables.
Nftables is a command line tool which enables the users to configure their firewall by building tables,chains and rules to filter the packets that flow through the computer.
To install nftables, one can clone the repository from this link.
git clone https://git.netfilter.org/nftables/
Nftables needs these pre-requisites to work correctly.
After cloning, the user needs to run these commands to install nftables:
sh autogen.sh
./configure
make
make install
To check if the nftables tool is installed or not, one can type:
nft --help
if the terminal gives an output like the following:
Usage: nft [ options ] [ cmds... ]
Options:
-h, --help Show this help
-v, --version Show version information
...
...
...
then nft is sucessfully installed.
I helped in implementing the geoip feature for nftables, like there is in iptables.Particularly I wrote the nft_geoip.py script under nftables/files. The script makes use of the GeoLite2 database by MaxMind and helps the user to filter packets to and from different countries and continents. The user can download the geoip database with the help of the --download option of the nft_geoip.py script. So, to download the database,
python3 nft_geoip.py --download
The output will be as follows:
Downloading GeoIP CSV files,
Please wait, this may take a moment.
The script downloads the zipped folder from the online database which is updated every month by MaxMind. The downloaded folder is then unzipped using the unzip package of python.
After downloading, the user can use the same script to parse the csv files and generate a 'geoip.nft' that can be included in their ruleset. To do so,one has to use the options:
- --file-location
- --file-ipv4
The first option is used to specify the csv file which contains the information about the location and geoip of different countries and the latter is used to specify the csv file which contains the information about the ipv4 ip addresses and their country of origin. (Both the options are essential to run the script successfully)
To run the script, one can:
python3 nft_geoip.py --file-ipv4 [IPv4] --file-location [LOCATIONS]
[LOCATION] - the csv file containing location info [IPv4] - the csv file containing IPv4 info
For example:
python3 nft_geoip.py --file-location GeoLite2-Country-CSV_20190813/GeoLite2-Country-Locations-en.csv --file-ipv4 GeoLite2-Country-CSV_20190813/GeoLite2-Country-Blocks-IPv4.csv
The output should be:
Creating geoip.nft
Done
After which, a new geoip.nft file will be created under nftables/files. The user can use this file in the ruleset as follows:
table TABLENAME{
include "geoip.nft"
chain CHAINNAME{
}
}
The users can also refer to the --help option to see the usage of different options which are available with the script.
python3 nft_geoip.py --help
Other than the nft_geoip.py script, I also submitted patches for adding the netns feature to the test file of nftables to test the rules in a specefic network namespace.
Also, as python2 will soon reach end-of-life, I also converted all the python files in the nftables repository to run on both python2 and python3.
- The nft_geoip.py script generates 'geoip.nft' file which contains information ablut the IPv4 ip adressess, I will further extend that to support IPv6 ip addresses as well.
- The interface of the script will be updated to increase verbosity.
The patches which i submitted for the above mentioned work can be found here.
I would like to acknowledge the guidance provided by Pablo Neira Ayuso, Phil Sutter, Arturo Borrero Gonzalez and the whole netfilter family.