* nftables: priority handling for changes on the same table
@ 2022-05-17 14:22 Florian Eckert
2022-05-17 15:07 ` Kamil Jońca
0 siblings, 1 reply; 2+ messages in thread
From: Florian Eckert @ 2022-05-17 14:22 UTC (permalink / raw)
To: netfilter
Hallo Community
OpenWrt has recently switched to nftables for the new release
openwrt-22.03 [1].
For this purpose, a new firewall service fw4 was created, which
generates the rules for the nft and loads them into the kernel [2].
Since I am a package manager at openwrt I have a question regarding
nftables.
I am in the process of making the strongswan and other packages mwan3
fit for nftables because up now a lot of stuff is not working proper
with fw4(nftables)
It works with iptables-nft and ip6tables-nft.
My problem now is that the strongswan iptables rules are set when a
tunnel is up or down via the _updown script.
I wanted to port this to nft now.
To use the script approach with "nft rule add ..." seems to work, but
deleting them is poor, because I have to search for the handle first.
Is there no other option here?
I have also tried to create my own chain "strongswan_filter_pre_forward"
before the openwrt fw4 table chain "forward",
but somehow this does not not working as expected!
Not working:
root@G3-10483 ~ # nft list ruleset
table inet fw4 {
...
chain strongswan_filter_pre_forward {
type filter hook forward priority filter - 2; policy accept;
iifname "eth0" meta ipsec exists ipsec in reqid 1 ip saddr
192.168.17.0/24 ip daddr 192.168.99.0/24 accept
oifname "eth0" meta ipsec exists ipsec out reqid 1 ip saddr
192.168.99.0/24 ip daddr 192.168.17.0/24 accept
}
...
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow
forwarded established and related flows"
iifname "eth1" jump forward_lan comment "!fw4: Handle lan
IPv4/IPv6 forward traffic"
iifname "eth0" jump forward_wan comment "!fw4: Handle wan
IPv4/IPv6 forward traffic"
jump handle_reject
}
...
}
Working:
root@G3-10483 ~ # nft list ruleset
table inet fw4 {
...
chain forward {
type filter hook forward priority filter; policy drop;
iifname "eth0" meta ipsec exists ipsec in reqid 1 ip saddr
192.168.17.0/24 ip daddr 192.168.99.0/24 accept
oifname "eth0" meta ipsec exists ipsec out reqid 1 ip saddr
192.168.99.0/24 ip daddr 192.168.17.0/24 accept
ct state established,related accept comment "!fw4: Allow
forwarded established and related flows"
iifname "eth1" jump forward_lan comment "!fw4: Handle lan
IPv4/IPv6 forward traffic"
iifname "eth0" jump forward_wan comment "!fw4: Handle wan
IPv4/IPv6 forward traffic"
jump handle_reject
}
...
}
I have specially lowered the 'priority' of the chain
"strongswan_filter_pre_forward" by two so that it runs before the
'forward' chain.
Is it possible that my approach is wrong and it doesn't work like this?
I have not found anything in the documentation about that.
Kind regards
Florian
[1] https://github.com/openwrt/openwrt/tree/openwrt-22.03
[2] https://git.openwrt.org/?p=project/firewall4.git;a=summary
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: nftables: priority handling for changes on the same table
2022-05-17 14:22 nftables: priority handling for changes on the same table Florian Eckert
@ 2022-05-17 15:07 ` Kamil Jońca
0 siblings, 0 replies; 2+ messages in thread
From: Kamil Jońca @ 2022-05-17 15:07 UTC (permalink / raw)
To: netfilter
Florian Eckert <fe@dev.tdt.de> writes:
>
> Not working:
> root@G3-10483 ~ # nft list ruleset
> table inet fw4 {
> ...
> chain strongswan_filter_pre_forward {
> type filter hook forward priority filter - 2; policy accept;
> iifname "eth0" meta ipsec exists ipsec in reqid 1 ip saddr
> 192.168.17.0/24 ip daddr 192.168.99.0/24 accept
> oifname "eth0" meta ipsec exists ipsec out reqid 1 ip saddr
> 192.168.99.0/24 ip daddr 192.168.17.0/24 accept
> }
> ...
> chain forward {
> type filter hook forward priority filter; policy drop;
> ct state established,related accept comment "!fw4: Allow
> forwarded established and related flows"
> iifname "eth1" jump forward_lan comment "!fw4: Handle lan
> IPv4/IPv6 forward traffic"
> iifname "eth0" jump forward_wan comment "!fw4: Handle wan
> IPv4/IPv6 forward traffic"
> jump handle_reject
> }
> ...
> }
> Working:
> root@G3-10483 ~ # nft list ruleset
> table inet fw4 {
> ...
> chain forward {
> type filter hook forward priority filter; policy drop;
> iifname "eth0" meta ipsec exists ipsec in reqid 1 ip saddr
> 192.168.17.0/24 ip daddr 192.168.99.0/24 accept
> oifname "eth0" meta ipsec exists ipsec out reqid 1 ip saddr
> 192.168.99.0/24 ip daddr 192.168.17.0/24 accept
> ct state established,related accept comment "!fw4: Allow
> forwarded established and related flows"
> iifname "eth1" jump forward_lan comment "!fw4: Handle lan
> IPv4/IPv6 forward traffic"
> iifname "eth0" jump forward_wan comment "!fw4: Handle wan
> IPv4/IPv6 forward traffic"
> jump handle_reject
> }
> ...
> }
>
> I have specially lowered the 'priority' of the chain
> "strongswan_filter_pre_forward" by two so that it runs before the
> 'forward' chain.
>
> Is it possible that my approach is wrong and it doesn't work like
> this? I have not found anything in the documentation about that.
Correct me if I am wrong but but "accept" in
strongswan_filter_pre_forward causes pass packet to normal forward
chain (where packet is dropped I believe)
If you want to keep "multpile chain" approach then I think the best way
is to "mark" packet (instead of "accept") in
strongswan_filter_pre_forward and then in "forward"chain
- accept marked packets.
You can also wait for next release
(https://marc.info/?l=netfilter&m=165031449504497&w=2)
this release should have more set/map/vmap possiblities
and then should be possible to use something like (I know that this is
not the best example, but I am olso in migration process)
--8<---------------cut here---------------start------------->8---
add chain ip filter ipsec-fw-${PLUTO_REQID} \;\
add rule ip filter ipsec-fw-${PLUTO_REQID} iif ${PLUTO_INTERFACE} ipsec in reqid ${PLUTO_REQID} ip saddr ${PLUTO_PEER_CLIENT} ip daddr ${PLUTO_MY_CLIENT} accept \;\
add rule ip filter ipsec-fw-${PLUTO_REQID} oif ${PLUTO_INTERFACE} ipsec out reqid ${PLUTO_REQID} ip saddr ${PLUTO_MY_CLIENT} ip daddr ${PLUTO_PEER_CLIENT} accept \;\
add element ip filter ipsec_fw '{' ${PLUTO_REQID} : jump ipsec-fw-${PLUTO_REQID} '}'\;\
--8<---------------cut here---------------end--------------->8---
where static config would be:
map ipsec_fw {
typeof ipsec in reqid : verdict
flags interval
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
[...]
ct state established,related accept
ipsec out reqid vmap @ipsec_fw
ipsec in reqid vmap @ipsec_fw
}
I compiled modified sources and this works (in a way ;) )
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-05-17 15:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-17 14:22 nftables: priority handling for changes on the same table Florian Eckert
2022-05-17 15:07 ` Kamil Jońca
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.