Re: Nftables rules change when network interfaces disappear

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 01, 2020 at 01:59:51PM +0200, Mikhail Morfikov wrote:
> I was trying to write some FW policy for VPN and I added the following rules to
> my openvpn script:
> 
>     nft create chain ip nat force-vpn
>     nft add rule ip nat POSTROUTING meta oif ${dev} counter jump force-vpn
>     nft add rule ip nat force-vpn meta oif ${dev} counter snat ${ifconfig_local}
> 
> When the VPN connections is being established, the rules do their job, the ${dev} 
> variable is properly resolved and nftables can live with it just fine:
> 
> # nft -a list table ip nat
> 
> table ip nat { # handle 55
> ...
>         chain POSTROUTING { # handle 3
> ...
>                 oif "tun0" counter packets 0 bytes 0 jump force-vpn # handle 20
>         }
> ...
>         chain force-vpn { # handle 19
>                 oif "tun0" counter packets 0 bytes 0 snat to 172.27.100.20 # handle 21
>         }
> }
> 
> But when I close the VPN connection, something weird happens. The above rules 
> now looks like this:
> 
> # nft -a list table ip nat
> 
> table ip nat { # handle 55
> ...
>         chain POSTROUTING { # handle 3
> ...
>                 oif 61 counter packets 0 bytes 0 jump force-vpn # handle 20
>         }
> ...
>         chain force-vpn { # handle 19
>                 oif 61 counter packets 0 bytes 0 snat to 172.27.100.20 # handle 21
>         }
> }
> 
> So the output interface is now 61 and not "tun0" . My script doesn't do anything 
> with the nftables rules when the VPN connection is closing. So the value of the 
> output interface magically changed on its own.
> 
> The number is the one that can be found in the output of the `ip` command when 
> the interface was created:
> 
> # ip addr show
> ...
> 61: tun0: ...
> ...
> 
> Is this a bug or is this intended behavior?

IIRC, oif will lookup the interface name and map that to an ifindex. But
that breaks if the interface goes away.

You should use "oifname" instead of "oif".




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux