What is the best way to create rules used to ipsec traffic filtering?
So far I have bunch rules created per reqid like that:
table ip filter { # handle 13
chain INPUT { # handle 1
type filter hook input priority filter; policy drop;
iif "eth0" ipsec in reqid 1 counter packets 100672 bytes 11492891 jump ipsec-in-1 comment "ed19af3c-f504-11e9-b59d-00e081736ba6/1/in" # handle 326
[...]
}
[...]
chain ipsec-in-1 { # handle 323
ip saddr yyy ip daddr xxxx/24 counter packets 50871 bytes 5614784 jump c1 # handle 325
ip protocol ipencap ip daddr zzzz counter packets 49801 bytes 5878107 accept # handle 324
}
}
And insert / remove rules from INPUT (and add / delete ipsec-in-*
chains) during connecting disconnecting clients.
This was I configured when I migrated from iptables some time ago.
But I believe this is not the best method for nftables. So has anybody
suggestion what is the best practicte to handle this situation?
I tried to use maps/vmaps but reqid cannot be use as index.
Am I missing something?
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
