Migration to nftables : from ipset and bogons

warning bogon flux may exceed safety limit

We’re in 2019 and it’s time to turn the page about iptables and do a warm welcome to nftables.

In this post, you will look few things about this migration. In addition, you’ll find the link to my repository where you have a shell script ready to use to update your bogons’ sets.

Quick remembers about the initial setup

I use ipset and iptables to manage this big filter :

  • ipset: manage all bogons range IP
  • iptables to do the filter on forward, input (prerouting), and output

If you want more information about it : Using ipset and iptables to block full bogons

Why is it important to migrate to nftables?

nftables will read in all of the included config files, create the config object in memory alongside the existing config, and then in one atomic operation it swaps the old config for the new one meaning there is no moment when the firewall is partially configured - https://wiki.nftables.org/wiki-nftables/index.php/Atomic_rule_replacement

From ipset to sets

With nftables, it’s impossible to use ipset, we need to implement it in sets (native in nftables).

set bogons4 {
  type ipv4_addr
  flags interval
  elements = {}

I init it with an element but it’s facultative. In other words, you just need to remove the line “elements = { }”.

From iptables to nftables

I won’t rewrite all my README from my git repository but just the most strange.
By default, no RAW PREROUTING chain exists, you need to create it, it’s like just a PREROUTING in the table filter.

chain pre_raw {
  type filter hook prerouting priority -300; policy drop;
  ip saddr @bogons4 drop

I told you that RAW doesn’t exist … It’s the hard part in nftables when you come from iptables.

Where is the code?

On GitHub: bogons_nftables

You’ll find my bash script to automatically update sets with new fullbogons from Team Cymru

I hope this can help you 😉