Re: Proper way to ipsec filtering

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Kamil Jońca <kjonca@xxxxx> wrote:
> What is the best way to create rules used to ipsec traffic filtering?
> 
> So far I have bunch rules created per reqid like that:
> table ip filter { # handle 13
> 
> chain INPUT { # handle 1
>                 type filter hook input priority filter; policy drop;
>                 iif "eth0" ipsec in reqid 1 counter packets 100672 bytes 11492891 jump ipsec-in-1 comment "ed19af3c-f504-11e9-b59d-00e081736ba6/1/in" # handle 326
>                 [...]
[..]

> But I believe this is not the best method for nftables. So has anybody
> suggestion what is the best practicte to handle this situation?
> I tried to use maps/vmaps but reqid cannot be use as index.

Thats a bug / missing feature, it should be possible to use reqid in concatenated keys
too.  I've sent a patch for this:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220418100924.5669-2-fw@xxxxxxxxx/



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux