* Nftables rules change when network interfaces disappear
@ 2020-09-01 11:59 Mikhail Morfikov
2020-09-01 12:41 ` Duncan Roe
2020-09-01 12:41 ` Eric Garver
0 siblings, 2 replies; 4+ messages in thread
From: Mikhail Morfikov @ 2020-09-01 11:59 UTC (permalink / raw)
To: netfilter
[-- Attachment #1.1: Type: text/plain, Size: 1906 bytes --]
I was trying to write some FW policy for VPN and I added the following rules to
my openvpn script:
nft create chain ip nat force-vpn
nft add rule ip nat POSTROUTING meta oif ${dev} counter jump force-vpn
nft add rule ip nat force-vpn meta oif ${dev} counter snat ${ifconfig_local}
When the VPN connections is being established, the rules do their job, the ${dev}
variable is properly resolved and nftables can live with it just fine:
# nft -a list table ip nat
table ip nat { # handle 55
...
chain POSTROUTING { # handle 3
...
oif "tun0" counter packets 0 bytes 0 jump force-vpn # handle 20
}
...
chain force-vpn { # handle 19
oif "tun0" counter packets 0 bytes 0 snat to 172.27.100.20 # handle 21
}
}
But when I close the VPN connection, something weird happens. The above rules
now looks like this:
# nft -a list table ip nat
table ip nat { # handle 55
...
chain POSTROUTING { # handle 3
...
oif 61 counter packets 0 bytes 0 jump force-vpn # handle 20
}
...
chain force-vpn { # handle 19
oif 61 counter packets 0 bytes 0 snat to 172.27.100.20 # handle 21
}
}
So the output interface is now 61 and not "tun0" . My script doesn't do anything
with the nftables rules when the VPN connection is closing. So the value of the
output interface magically changed on its own.
The number is the one that can be found in the output of the `ip` command when
the interface was created:
# ip addr show
...
61: tun0: ...
...
Is this a bug or is this intended behavior?
---
# nft -v
nftables v0.9.6 (Capital Idea #2)
# cat /proc/version
Linux version 5.8.5-amd64 (morfik@morfikownia) (gcc (Debian 10.2.0-5) 10.2.0, GNU ld (GNU Binutils for Debian) 2.35) #2 SMP PREEMPT Thu Aug 27 12:08:37 CEST 2020
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Nftables rules change when network interfaces disappear
2020-09-01 11:59 Nftables rules change when network interfaces disappear Mikhail Morfikov
@ 2020-09-01 12:41 ` Duncan Roe
2020-09-01 12:51 ` Mikhail Morfikov
2020-09-01 12:41 ` Eric Garver
1 sibling, 1 reply; 4+ messages in thread
From: Duncan Roe @ 2020-09-01 12:41 UTC (permalink / raw)
To: netfilter
On Tue, Sep 01, 2020 at 01:59:51PM +0200, Mikhail Morfikov wrote:
> I was trying to write some FW policy for VPN and I added the following rules to
> my openvpn script:
>
> nft create chain ip nat force-vpn
> nft add rule ip nat POSTROUTING meta oif ${dev} counter jump force-vpn
> nft add rule ip nat force-vpn meta oif ${dev} counter snat ${ifconfig_local}
>
> When the VPN connections is being established, the rules do their job, the ${dev}
> variable is properly resolved and nftables can live with it just fine:
>
> # nft -a list table ip nat
>
> table ip nat { # handle 55
> ...
> chain POSTROUTING { # handle 3
> ...
> oif "tun0" counter packets 0 bytes 0 jump force-vpn # handle 20
> }
> ...
> chain force-vpn { # handle 19
> oif "tun0" counter packets 0 bytes 0 snat to 172.27.100.20 # handle 21
> }
> }
>
> But when I close the VPN connection, something weird happens. The above rules
> now looks like this:
>
> # nft -a list table ip nat
>
> table ip nat { # handle 55
> ...
> chain POSTROUTING { # handle 3
> ...
> oif 61 counter packets 0 bytes 0 jump force-vpn # handle 20
> }
> ...
> chain force-vpn { # handle 19
> oif 61 counter packets 0 bytes 0 snat to 172.27.100.20 # handle 21
> }
> }
>
> So the output interface is now 61 and not "tun0" . My script doesn't do anything
> with the nftables rules when the VPN connection is closing. So the value of the
> output interface magically changed on its own.
>
> The number is the one that can be found in the output of the `ip` command when
> the interface was created:
>
> # ip addr show
> ...
> 61: tun0: ...
> ...
>
> Is this a bug or is this intended behavior?
>
> ---
> # nft -v
> nftables v0.9.6 (Capital Idea #2)
>
> # cat /proc/version
> Linux version 5.8.5-amd64 (morfik@morfikownia) (gcc (Debian 10.2.0-5) 10.2.0, GNU ld (GNU Binutils for Debian) 2.35) #2 SMP PREEMPT Thu Aug 27 12:08:37 CEST 2020
>
Hi Mikhail,
You can only use 'oif' for interfaces with indexes that will never change, such
as eth0. For all other interfaces, you must use 'oifname'. Otherwise, you get
the behaviour you report.
See PRIMARY EXPRESSIONS / META EXPRESSIONS in 'man nft'.
Cheers ... Duncan.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Nftables rules change when network interfaces disappear
2020-09-01 11:59 Nftables rules change when network interfaces disappear Mikhail Morfikov
2020-09-01 12:41 ` Duncan Roe
@ 2020-09-01 12:41 ` Eric Garver
1 sibling, 0 replies; 4+ messages in thread
From: Eric Garver @ 2020-09-01 12:41 UTC (permalink / raw)
To: Mikhail Morfikov; +Cc: netfilter
On Tue, Sep 01, 2020 at 01:59:51PM +0200, Mikhail Morfikov wrote:
> I was trying to write some FW policy for VPN and I added the following rules to
> my openvpn script:
>
> nft create chain ip nat force-vpn
> nft add rule ip nat POSTROUTING meta oif ${dev} counter jump force-vpn
> nft add rule ip nat force-vpn meta oif ${dev} counter snat ${ifconfig_local}
>
> When the VPN connections is being established, the rules do their job, the ${dev}
> variable is properly resolved and nftables can live with it just fine:
>
> # nft -a list table ip nat
>
> table ip nat { # handle 55
> ...
> chain POSTROUTING { # handle 3
> ...
> oif "tun0" counter packets 0 bytes 0 jump force-vpn # handle 20
> }
> ...
> chain force-vpn { # handle 19
> oif "tun0" counter packets 0 bytes 0 snat to 172.27.100.20 # handle 21
> }
> }
>
> But when I close the VPN connection, something weird happens. The above rules
> now looks like this:
>
> # nft -a list table ip nat
>
> table ip nat { # handle 55
> ...
> chain POSTROUTING { # handle 3
> ...
> oif 61 counter packets 0 bytes 0 jump force-vpn # handle 20
> }
> ...
> chain force-vpn { # handle 19
> oif 61 counter packets 0 bytes 0 snat to 172.27.100.20 # handle 21
> }
> }
>
> So the output interface is now 61 and not "tun0" . My script doesn't do anything
> with the nftables rules when the VPN connection is closing. So the value of the
> output interface magically changed on its own.
>
> The number is the one that can be found in the output of the `ip` command when
> the interface was created:
>
> # ip addr show
> ...
> 61: tun0: ...
> ...
>
> Is this a bug or is this intended behavior?
IIRC, oif will lookup the interface name and map that to an ifindex. But
that breaks if the interface goes away.
You should use "oifname" instead of "oif".
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Nftables rules change when network interfaces disappear
2020-09-01 12:41 ` Duncan Roe
@ 2020-09-01 12:51 ` Mikhail Morfikov
0 siblings, 0 replies; 4+ messages in thread
From: Mikhail Morfikov @ 2020-09-01 12:51 UTC (permalink / raw)
To: netfilter
[-- Attachment #1.1: Type: text/plain, Size: 344 bytes --]
On 01/09/2020 14.41, Duncan Roe wrote:
>
> You can only use 'oif' for interfaces with indexes that will never change, such
> as eth0. For all other interfaces, you must use 'oifname'. Otherwise, you get
> the behaviour you report.
>
> See PRIMARY EXPRESSIONS / META EXPRESSIONS in 'man nft'.
>
I see. It works well now. Thanks.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-09-01 12:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-01 11:59 Nftables rules change when network interfaces disappear Mikhail Morfikov
2020-09-01 12:41 ` Duncan Roe
2020-09-01 12:51 ` Mikhail Morfikov
2020-09-01 12:41 ` Eric Garver
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.