Re: nft named set address types

Matt Zagrabelny <mzagrabe@xxxxxxxxx> · Mon, 15 Nov 2021 20:55:19 -0600

Hey Pablo and others...

On Mon, Nov 15, 2021 at 8:22 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> On Mon, Nov 15, 2021 at 08:47:10PM +0100, Pablo Neira Ayuso wrote:
> > On Mon, Nov 15, 2021 at 11:40:43AM -0600, Matt Zagrabelny wrote:
> [...]
> > > Is there no vmap for icmp?
> >
> > instead of:
> >
> >          meta protocol {icmp, icmpv6} vmap {
> >              icmp: jump icmp_ipv4,
> >              icmpv6: jump icmp_ipv6,
> >          }
> >
> > this should be:
> >
> >          meta protocol vmap {
> >              icmp: jump icmp_ipv4,
> >              icmpv6: jump icmp_ipv6,
> >          }
>
> Wrong selector actually:

Ha. Yup. I'm just discovering this as you sent your email. I was going
to reply with a few questions. So your reply was well timed.

> # nft describe meta protocol
> meta expression, datatype ether_type (Ethernet protocol) (basetype integer), 16 bits
>
> pre-defined symbolic constants (in hexadecimal):
>         ip                              0x0800
>         arp                             0x0806
>         ip6                             0x86dd
>         8021q                           0x8100
>         8021ad                          0x88a8
>         vlan                            0x8100
>
> you should used meta l4proto instead
>
> # nft describe meta l4proto
> meta expression, datatype inet_proto (Internet protocol) (basetype integer), 8 bits
>         ip                              0
>         icmp                            1
>         igmp                            2
>         ggp                             3
>         ipencap                         4
>         st                              5
>         tcp                             6
>         ...
>
> Therefore:
>
>           meta l4proto vmap {
>               icmp: jump icmp_ipv4,
>               icmpv6: jump icmp_ipv6,
>           }

Agreed. This is working better than the previous vmap.

I search for "nftables icmp" on the interwebs and found these rules:

        meta nfproto ipv4 icmp type { echo-request } counter accept
        meta nfproto ipv6 icmpv6 type echo-request counter accept

Not sure how they compare to the above "meta l4proto..." commands.

> Careful with this idiom, because it might not do what you want.

Alright... Currently it looks like it is doing what I want.

>
> If you do not previously classify traffic at layer 3,

How do you classify traffic at layer 3? Is that a manual configuration?

then depending
> on your ruleset, this might allow for packet crafting such as
> IPv4/ICMPv6 and IPv6/ICMPv4.

Hmmm... Are there any (potential) security problems with cross
version/protocol packets?

Thanks for the help and the words of caution.

Cheers,

-m