Le 12/02/2017 à 13:43, Michael Weiser a écrit :
Hi Pascal,
On Sun, Feb 12, 2017 at 09:59:14AM +0100, Pascal Hambourg wrote:
is there an elegant way in either ip{,6}tables or nftables to match
addresses in packets against all the addresses set on a specific local
interface?
For the interface the packet is coming in or going out, maybe with the
iptables 'addrtype' match.
A first test with a rule like
iptables -I OUTPUT 1 -p tcp --dport 22 -m addrtype --src-type LOCAL -j ACCEPT
looks very promising: Allowing out only packets with source addresses
actually assigned to a local interface (tested with hping3 -u -p 22 -a
7.7.7.7 192.168.2.1).
I thought you wanted to match only against local addresses attached to a
specific interface, not all interfaces. If that specific interface is
the output interface, then you can add --limit-iface-out.
Otherwise, may I ask why do you need this ?
Only a process with special privileges can send packets with a non local
address.
The thing for dummies like me to note about this is that addrtype
doesn't deal with predefined classes of addresses but the actual state
of things on the interfaces present in the system. Consequently LOCAL
doesn't mean RFC1918 addresses or somesuch but addresses actually
assigned to local interfaces.
local != private
There is no need for a specific extension to match any given address
prefix such as those defined in RFC1918 : -d/-s already do the job.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
