This is the part 2 of the MTD serie and it presents what happens behind the scenes in the PoC introduced in the part 1<\/a>.<\/p>\n\n\n\n The title of this section is the same as this post’s title<\/a>. The post describes the key point in terms of the PoC implementation – the ability to apply nftables rules using pure python. As you can read the python3-nftables package is all you need to implement your own solution.<\/p>\n\n\n\n The core configuration of the PoC is based on the files in this directory<\/a>. Actually, only three out of four are important, we don’t care about the configuration_schema.json <\/em> file – this one only validates the configuration.json<\/em> file. So, let’s describe the remaining files. <\/p>\n\n\n\n The first file is the configuration.json<\/em>. This is the custom file designed by myself and it has all the necessary configuration the PoC reads during the startup. There are three JSON objects:<\/p>\n\n\n\n redis_connection_configuration<\/em> and redis_subscriber_configuration <\/em>are related only to the Redis communication whereas nftables_service_configuration<\/em> consists of the configuration closely related to the nftables rules the PoC applies in the runtime – so let’s focus on this one. There are following objects:<\/p>\n\n\n\n nft_startup_commands_path<\/em> and nft_address_rules_path<\/em> point to the JSON files that consist of nftables commands – we will discuss these two files later on but for now it is worth to mention that the files’ content is based on the JSON schema that is well documented here<\/a> (it is also mentioned in the aforementioned post<\/a>).<\/p>\n\n\n\n max_port_number<\/em> is the maximum port number that the program can choose when choosing redirection ports.<\/p>\n\n\n\n tcp_ports<\/em> is a list of port numbers that are in use on the host machine.<\/p>\n\n\n\n watched_addresses<\/em> is a list of objects in which each of them describes watched address In this section (and in the next one) I won’t describe in details the file content because it’s not the point. The nft_startup_commands.json<\/em> file was also created by myself but its content is based on the previously mentioned schema<\/a>. The file contains six nftables commands that do the following:<\/p>\n\n\n\n T<\/span>he commands don’t rely on the configuration.json<\/em> file, i.e. they are always the same. The main purpose of them is to remove all nftables-related rules and structures (tables and chains) created so far and prepare empty chains for the newly generated rules (described in the next section).<\/p>\n\n\n\n The nft_address_rules.json<\/em> file contains nftables commands that create redirection rules. The nft_address_rules.json<\/em><\/em> file was also created by myself and its content is also based on the previously mentioned schema<\/a>. The file content is not 100% valid because it contains For each in the watched_addresses<\/em> list from the configuration.json<\/em> file and for each in the tcp_ports<\/em> list excluding tcp_ignore<\/em> list the program generates rules according to the nft_address_rules.json<\/em> file. In other words, the nft_address_rules.json<\/em> file is a template for The foregoing description might be a little involved but let me try to simplify it by an example. As the code on the GitHub repository might change in the future let’s assume that the following example uses the configuration.json<\/em>, nft_startup_commands.json<\/em> and nft_address_rules.json <\/em> files from this commit<\/a>.<\/p>\n\n\n\n Let’s focus for now on the README file section<\/a>. The nftables<\/em> container is the one that has the PoC up and running. Now let’s move to this README section<\/a> and to the following part “Once you send the message, you should see that the\u00a0 I hope the explanation helps at least a little in understanding the presented PoC. There is one more thing that might help you to understand the concept. If you run the PoC according to the README<\/a> you can list all applied nftables commands by the PoC on the host machine (i.e. nftables<\/em> container). All you have to do is to run the following command inside the nftables<\/em> container: Have a nice day, bye!<\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Introduction This is the part 2 of the MTD serie and it presents what happens behind the scenes in the PoC introduced in the part…<\/p>\nHow to use nftables from python?<\/h2>\n\n\n\n
PoC implementation<\/h2>\n\n\n\n
configuration.json<\/h2>\n\n\n\n
i.e. an IP address (ip<\/em> field) and a list of ports (tcp_ignore<\/em> field) that we want to exclude from the whole redirection process.<\/p>\n\n\n\nnft_startup_commands.json<\/h2>\n\n\n\n
nft_address_rules.json<\/h2>\n\n\n\n
4 custom tokens that are replaced in the runtime:<\/p>\n\n\n\n
a batch of rules for a particular pair of a watched IP address and a port (not ignored one).<\/p>\n\n\n\nExample<\/h2>\n\n\n\n
nftables<\/code>\u00a0container received the message (first terminal). Receiving the message means that the nftables rules has been applied.” What does it mean “the nftables rules has been applied”? Let me break it down by describing the whole rules application process in the following steps:<\/p>\n\n\n\n
a random number from the range [1..20] (20 is the max_port_number<\/em>) excluding [1, 2, 3, 4, 5] (tcp_ports<\/em>) and {{PROTOCOL}} by “tcp”.<\/li>
a random number from the range [1..20] (20 is the max_port_number<\/em>) excluding [1, 2, 3, 4, 5] (tcp_ports<\/em>) and excluding [NumberChosenForPort3] and {{PROTOCOL}} by “tcp”.<\/li>Summary<\/h2>\n\n\n\n
nft list ruleset<\/code>.<\/p>\n\n\n\n