Hi!
Using Debian 10/nftables v0.9.0, i'm having troubles having nftables
validate outgoing ipsec packets using the secpath meta.
This is part of a ruleset on R1, an IPsec gateway, that is supposed to
only forward traffic between 172.16.11.0/24 and 172.16.12.0/24 if it is
secured by Ipsec:
172.16.11.0/24-R1-----ESP-----R2-172.16.12.0/24
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr 172.16.12.0/24 ip daddr 172.16.11.0/24 meta
secpath exists counter accept
ip saddr 172.16.11.0/24 ip daddr 172.16.12.0/24 counter
accept
log prefix "NFtables: FWD:"
counter drop
}
chain postrouting {
type filter hook forward priority 0; policy drop;
#never matching:
ip saddr 172.16.11.0/24 ip daddr 172.16.12.0/24 meta
secpath exists counter accept
ip saddr 172.16.12.0/24 ip daddr 172.16.12.0/24 counter
accept
log prefix "NFtables: POST:"
counter drop
}
While the forward chaine does match incoming ipsec-secured packets
using:
ip saddr 172.16.12.0/24 ip daddr 172.16.11.0/24 meta secpath exists
counter accept
The postrouting chain secpath rule never matches:
ip saddr 172.16.11.0/24 ip daddr 172.16.12.0/24 meta secpath exists
counter accept
What may I be doing wrong? Any help is welcomed.
