Hi,
I spent some time trying to figure out how to programmatically answer
questions like "Does the ruleset R allow reaching service listening on port P from
interface I?" or "Does the ruleset R1 allow something that ruleset R2 does
not allow?".
I tried to find prior work on this area and was able to find "Verified
iptables Firewall Analysis and Verification" [1] that uses
the Isabelle proof assistant for iptables rules and "Automated Analysis
and Debugging of Network Connectivity Policies" [2, 3] that uses Z3 for
some simple Azure firewall ACL rules.
I could not find anything relevant for netfilter so I began experimenting
a bit by writing a python function that tries to simulate nftables
behavior given a ruleset and a packet. I used output of "nft --json list
ruleset" to and soon noticed that it doesn't quite contain all the
necessary information for this task.
For example, the default ufw configuration uses iptables to setup
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
779 46756 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
which shows up as
$ sudo nft -a list ruleset | grep "handle 247"
fib daddr type local counter packets 772 bytes 46336
in in the "normal" output. However, in the JSON output critical
information (mainly "LOCAL") is entirely missing:
$ sudo nft -a --json list ruleset | jq . | grep -B5 -A19 '"handle": 247'
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "ufw-not-local",
"handle": 247,
"expr": [
{
"xt": {
"type": "match",
"name": "addrtype"
}
},
{
"counter": {
"packets": 778,
"bytes": 46696
}
},
{
"return": null
}
]
}
},
I understand that ufw is using a compatibility interface. Nevertheless,
I'm in need of a way to analyze firewall configurations of large number of
real-world systems programmatically. Can you suggest how I should approach
this? I can think of at least the following options:
1) Fix the JSON output.
2) Ignore the JSON output and try to parse the output of "nft list
ruleset".
3) Use JSON output of most of the stuff but fill the gaps by also
parsing "nft list ruleset".
4) Try to parse the raw netlink traffic seen in "nft --debug=netlink list
ruleset".
4) Create separate tools for parsing iptables and netfilter rules and
hope that no system mixes these two.
[1] https://link.springer.com/article/10.1007/s10817-017-9445-1
[2] https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/secguru.pdf
[3] https://github.com/Z3Prover/FirewallChecker