* Proper way to ipsec filtering
@ 2022-04-17 6:37 Kamil Jońca
2022-04-18 10:14 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Kamil Jońca @ 2022-04-17 6:37 UTC (permalink / raw)
To: netfilter
What is the best way to create rules used to ipsec traffic filtering?
So far I have bunch rules created per reqid like that:
table ip filter { # handle 13
chain INPUT { # handle 1
type filter hook input priority filter; policy drop;
iif "eth0" ipsec in reqid 1 counter packets 100672 bytes 11492891 jump ipsec-in-1 comment "ed19af3c-f504-11e9-b59d-00e081736ba6/1/in" # handle 326
[...]
}
[...]
chain ipsec-in-1 { # handle 323
ip saddr yyy ip daddr xxxx/24 counter packets 50871 bytes 5614784 jump c1 # handle 325
ip protocol ipencap ip daddr zzzz counter packets 49801 bytes 5878107 accept # handle 324
}
}
And insert / remove rules from INPUT (and add / delete ipsec-in-*
chains) during connecting disconnecting clients.
This was I configured when I migrated from iptables some time ago.
But I believe this is not the best method for nftables. So has anybody
suggestion what is the best practicte to handle this situation?
I tried to use maps/vmaps but reqid cannot be use as index.
Am I missing something?
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Proper way to ipsec filtering
2022-04-17 6:37 Proper way to ipsec filtering Kamil Jońca
@ 2022-04-18 10:14 ` Florian Westphal
2022-04-18 20:41 ` Kamil Jońca
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2022-04-18 10:14 UTC (permalink / raw)
To: Kamil Jońca; +Cc: netfilter
Kamil Jońca <kjonca@op.pl> wrote:
> What is the best way to create rules used to ipsec traffic filtering?
>
> So far I have bunch rules created per reqid like that:
> table ip filter { # handle 13
>
> chain INPUT { # handle 1
> type filter hook input priority filter; policy drop;
> iif "eth0" ipsec in reqid 1 counter packets 100672 bytes 11492891 jump ipsec-in-1 comment "ed19af3c-f504-11e9-b59d-00e081736ba6/1/in" # handle 326
> [...]
[..]
> But I believe this is not the best method for nftables. So has anybody
> suggestion what is the best practicte to handle this situation?
> I tried to use maps/vmaps but reqid cannot be use as index.
Thats a bug / missing feature, it should be possible to use reqid in concatenated keys
too. I've sent a patch for this:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220418100924.5669-2-fw@strlen.de/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Proper way to ipsec filtering
2022-04-18 10:14 ` Florian Westphal
@ 2022-04-18 20:41 ` Kamil Jońca
0 siblings, 0 replies; 3+ messages in thread
From: Kamil Jońca @ 2022-04-18 20:41 UTC (permalink / raw)
To: netfilter
Florian Westphal <fw@strlen.de> writes:
[...]
> Thats a bug / missing feature, it should be possible to use reqid in concatenated keys
> too. I've sent a patch for this:
>
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220418100924.5669-2-fw@strlen.de/
>
Well, I cloned repo, and compiled against my debian test sid box. Seems to
work as expected.
Thank you.
So now I have to wait when debian adopt it. :)
Thanks again.
KJ
--
http://wolnelektury.pl/wesprzyj/teraz/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-04-18 20:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-17 6:37 Proper way to ipsec filtering Kamil Jońca
2022-04-18 10:14 ` Florian Westphal
2022-04-18 20:41 ` Kamil Jońca
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.