From: Phil Sutter <phil@nwl.cc>
To: Daniel Huhardeaux <tech@tootai.net>
Cc: Netfilter list <netfilter-devel@vger.kernel.org>
Subject: Re: ipv6 forward rule after prerouting - Howto
Date: Wed, 6 Nov 2019 19:50:22 +0100 [thread overview]
Message-ID: <20191106185022.GT15063@orbyte.nwl.cc> (raw)
In-Reply-To: <eb91d7f8-e344-c697-b2e0-ff4fb77245b2@tootai.net>
Hi,
On Wed, Nov 06, 2019 at 06:55:56PM +0100, Daniel Huhardeaux wrote:
> Hello,
>
> I setup prerouting rules with maps like
>
> chain prerouting {
> type nat hook prerouting priority 0; policy accept;
> iif "ens3" ip6 saddr . tcp dport vmap @blacklist_tcp
> if "ens3" ip6 saddr . udp dport vmap @blacklist_udp
> dnat to tcp dport map @fwdtoip_tcp:tcp dport map @fwdtoport_tcp
> dnat to udp dport map @fwdtoip_udp:udp dport map @fwdtoport_udp
> ip6 daddr 2a01:729:16e:10::9998 redirect to :tcp dport map @redirect_tcp
> ip6 daddr 2a01:729:16e:10::9998 redirect to :udp dport map @redirect_udp
> ct status dnat accept
> }
>
> Default behavior in ip6 filter forward table is to drop. This means that
> my above rules are blocked, I see (u18srv being the machine who will
> forward the traffic to another one):
>
> 18:32:00.476524 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255777795 ecr
> 0,nop,wscale 7], length 0
>
>
> 18:32:08.668468 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255785986 ecr
> 0,nop,wscale 7], length 0
> 18:32:24.796392 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255802114 ecr
> 0,nop,wscale 7], length 0
>
> Now if I change my default value to accept for ip6 filter forward table,
> all is good.
>
> Question: how can I add forward rule to filter table using the existing
> maps which are defined in nat tables ? Other solution ?
>
> I thought that ct status dnat accept was the key to archieve my goal,
> seems not :(
>
> Thanks for any hint
Please be aware that 'accept' verdict will only stop the packet from
traversing the current chain and any later chain may still drop the
packet. Only 'drop' verdict is final in that sense.
So regarding your problem, I guess you have to add the 'ct state' based
accept rule to forward chain to prevent the drop policy to affect the
packet. Your prerouting chain already has an accept policy, so explicit
accepting shouldn't be needed.
Cheers, Phil
next prev parent reply other threads:[~2019-11-06 18:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-06 17:55 ipv6 forward rule after prerouting - Howto Daniel Huhardeaux
2019-11-06 18:50 ` Phil Sutter [this message]
2019-11-07 9:29 ` Daniel Huhardeaux
2019-11-12 16:50 ` Daniel Huhardeaux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191106185022.GT15063@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=tech@tootai.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).