Re: [PATCH nf-next 0/4] Add nf_tables ingress hook for the inet family

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 8 Oct 2020 01:22:23 +0200

On Thu, Oct 08, 2020 at 01:14:44AM +0200, Pablo Neira Ayuso wrote:
> Hi,
> 
> The following patchset adds support for the inet ingress hook:
> 
> Patch #1 adds nf_static_key_inc() and nf_static_key_dec() helper functions.
> Patch #2 adds nf_ingress_hook() helper function.
> Patch #3 adds inet ingress hook support to the core.
> Patch #4 adds inet ingress hook support for nf_tables.
> 
> The following example shows how to place offenders into the 'blackhole'
> set. Offenders in this case are those that connect to the local SSH port
> over the specified rate limit. The inet ingress chain is used to
> shortcircuit the evaluation of the traffic coming from the offender at
> early stage in the packet processing receive path.
> 
>   table inet filter {
>         set blackhole {
>                 type ipv4_addr
>                 size 65535
>                 flags dynamic,timeout
>                 timeout 5m
>         }
> 
>         chain input {
>                 type filter hook input priority filter; policy accept;
>                 ct state new tcp dport 22 update @blackhole { ip saddr limit rate over 4/minute } counter packets 0 bytes 0

Actually, this should be:

                  ct state new tcp dport 22 limit rate over 4/minute update @blackhole { ip saddr } counter packets 0 bytes 0

maybe this example is not that useful...

... But the overall idea is to share sets with the ingress hook, which
was not possible so far :-)

>         }
> 
>         chain ingress {
>                 type filter hook unknown device "enp0s25" priority filter; policy accept;
>                 ip saddr @blackhole counter packets 0 bytes 0 drop
>         }
>   }
> 
> Pablo Neira Ayuso (4):
>   netfilter: add nf_static_key_{inc,dec}
>   netfilter: add nf_ingress_hook() helper function
>   netfilter: add inet ingress support
>   netfilter: nf_tables: add inet ingress support
> 
>  include/net/netfilter/nf_tables.h      |   6 ++
>  include/net/netfilter/nf_tables_ipv4.h |  33 +++++++
>  include/net/netfilter/nf_tables_ipv6.h |  46 +++++++++
>  include/uapi/linux/netfilter.h         |   1 +
>  net/netfilter/core.c                   | 127 ++++++++++++++++++++-----
>  net/netfilter/nf_tables_api.c          |  14 +--
>  net/netfilter/nft_chain_filter.c       |  35 ++++++-
>  7 files changed, 228 insertions(+), 34 deletions(-)
> 
> --
> 2.20.1
> 