Re: ipv6 rpfilter and.. fw mark? problems with wireguard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks for the prompt reply!

(I just noticed the netfilter@ list, sorry for having asked the question
here instead)

Andreas Jaggi wrote on Fri, Apr 10, 2020:
> > table inet test {
> >    chain raw_PREROUTING {
> >        type filter hook prerouting priority raw; policy accept;
> >        meta nfproto ipv6 fib saddr . iif oif missing log prefix "rpfilter_DROP: " drop
> >    }
> > }
> > 
> > or
> > 
> > ip6tables -t raw -A PREROUTING -m rpfilter --invert -j LOG --log-prefix "rpfilter_DROP: "
> > ip6tables -t raw -A PREROUTING -m rpfilter --invert -j DROP
> 
> This does not consider the fwmark for the reverse-routing lookup.
> Using the --validmark option for the rpfilter match should get you the correct result.
> 
> And for nft the already suggested:
> meta nfproto ipv6 fib saddr . iif . mark  oif missing log prefix "rpfilter_DROP: " drop

Ok.

> I suspect the main problem is the rpfilter check happening in the raw
> table, but the fwmark only being written in the mangle table.
> Thus the rpfilter lookup happens without the correct fwmark and fails
> to return the correct result.
> 
> I would move the rpfilter check into the mangle table and place it
> after the fwmark is written.

Ok, firewalld rules are in a different table but they set priorities to
mangle + 10 so I tested something similar and it does work:

table inet test {
    chain premangle {
        type filter hook prerouting priority mangle + 10; policy accept;
        meta nfproto ipv6 fib saddr . mark . iif oif missing log prefix "rpfilter_DROP: " drop
    }
}

(I also confirmed moving the iptables, unsurprisingly it works and does
require the --validmark switch suggested)



I also found that adding --loose to the ip6tables rule also works, I've
had a look at the man page[1] and can't say I understand how to make an
equivalent 'loose' rule as nft, but I'll keep trying a while longer.
(I'm asking because the ipv4 default seems to be loose on my setup, so
I'm surprised ipv6 would be different; not decided on what to actually
use)

[1] https://www.netfilter.org/projects/nftables/manpage.html#lbBR



I'll get back to the firewalld developer to discuss what would be
the preferred solution, thanks again for the help.

Cheers,
-- 
Dominique
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux