Re: Mixed IPv4+IPv6 sets

Wilmer van der Gaast <wilmer@xxxxxxxxx> · Wed, 09 Sep 2015 11:07:08 +0100

On 07-09-15 19:50, Pablo Neira Ayuso wrote:
> 
> Could you illustrate with examples what you would like to have and the
> limitations you currently hitting?
> 
So what I was trying to do is define sets with my local + trusted
networks. So for example:

define local = {
	192.168.0.0/24,
	2001:888:1001:1::/64,
}

define trusted = {
	$local
	87.198.233.214,
	2001:888:1001::/48,
}

So I'd use these as whitelists, could use $trusted as a wider whitelist
for all my networks and $local as just for completely local traffic.
Containing IPv4 and IPv6 addresses/networks.

Now I'd love to be able to just, for example (and apologies for the
likely wrong syntax, I have not been able to start using nftables in
full, just experimenting):

table inet filter {
	chain forward {
		type filter hook forward priority 0;
		...
		# (Mostly) don't filter traffic from my trusted nets
		inet saddr $trusted accept;
		# Filter the rest more strictly.
		...
	}
}

This won't work because inet is not an existing match rule. I can have
an "inet" table but it still needs to have ip and ip6 match rules
separately. It is nice that many other rules just work like for example
tcp/udp and ct.

Now if I could just do:

		# (Mostly) don't filter traffic from my trusted nets
		ip saddr $trusted accept;
		ip6 saddr $trusted accept;

somehow and have nft take just the v4 and just the v6 addresses for each
line, that would also be workable. Or what I tried doing (but then I ran
into the crash bug I've just reported), is separate the two whitelists
completely and do:

		# (Mostly) don't filter traffic from my trusted nets
		ip saddr $trusted4 accept;
		ip6 saddr $trusted6 accept;

The latter would work and is not bad, just kludgy. Being able to just
refer to a single mixed set of addresses from a single rule would
certainly be the most convenient, as one more step towards fully
unifying IPv4 + IPv6 filtering.

Kind regards,

Wilmer van der Gaast.

-- 
+-------- .''`.     - -- ---+  +        - -- --- ---- ----- ------+
| wilmer : :'  :  gaast.net |  | OSS Programmer   www.bitlbee.org |
| lintux `. `~'  debian.org |  | Full-time geek  wilmer.gaast.net |
+--- -- -  ` ---------------+  +------ ----- ---- --- -- -        +
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html