Florian Eckert <fe@xxxxxxxxxx> writes:
>
> Not working:
> root@G3-10483 ~ # nft list ruleset
> table inet fw4 {
> ...
> chain strongswan_filter_pre_forward {
> type filter hook forward priority filter - 2; policy accept;
> iifname "eth0" meta ipsec exists ipsec in reqid 1 ip saddr
> 192.168.17.0/24 ip daddr 192.168.99.0/24 accept
> oifname "eth0" meta ipsec exists ipsec out reqid 1 ip saddr
> 192.168.99.0/24 ip daddr 192.168.17.0/24 accept
> }
> ...
> chain forward {
> type filter hook forward priority filter; policy drop;
> ct state established,related accept comment "!fw4: Allow
> forwarded established and related flows"
> iifname "eth1" jump forward_lan comment "!fw4: Handle lan
> IPv4/IPv6 forward traffic"
> iifname "eth0" jump forward_wan comment "!fw4: Handle wan
> IPv4/IPv6 forward traffic"
> jump handle_reject
> }
> ...
> }
> Working:
> root@G3-10483 ~ # nft list ruleset
> table inet fw4 {
> ...
> chain forward {
> type filter hook forward priority filter; policy drop;
> iifname "eth0" meta ipsec exists ipsec in reqid 1 ip saddr
> 192.168.17.0/24 ip daddr 192.168.99.0/24 accept
> oifname "eth0" meta ipsec exists ipsec out reqid 1 ip saddr
> 192.168.99.0/24 ip daddr 192.168.17.0/24 accept
> ct state established,related accept comment "!fw4: Allow
> forwarded established and related flows"
> iifname "eth1" jump forward_lan comment "!fw4: Handle lan
> IPv4/IPv6 forward traffic"
> iifname "eth0" jump forward_wan comment "!fw4: Handle wan
> IPv4/IPv6 forward traffic"
> jump handle_reject
> }
> ...
> }
>
> I have specially lowered the 'priority' of the chain
> "strongswan_filter_pre_forward" by two so that it runs before the
> 'forward' chain.
>
> Is it possible that my approach is wrong and it doesn't work like
> this? I have not found anything in the documentation about that.
Correct me if I am wrong but but "accept" in
strongswan_filter_pre_forward causes pass packet to normal forward
chain (where packet is dropped I believe)
If you want to keep "multpile chain" approach then I think the best way
is to "mark" packet (instead of "accept") in
strongswan_filter_pre_forward and then in "forward"chain
- accept marked packets.
You can also wait for next release
(https://marc.info/?l=netfilter&m=165031449504497&w=2)
this release should have more set/map/vmap possiblities
and then should be possible to use something like (I know that this is
not the best example, but I am olso in migration process)
--8<---------------cut here---------------start------------->8---
add chain ip filter ipsec-fw-${PLUTO_REQID} \;\
add rule ip filter ipsec-fw-${PLUTO_REQID} iif ${PLUTO_INTERFACE} ipsec in reqid ${PLUTO_REQID} ip saddr ${PLUTO_PEER_CLIENT} ip daddr ${PLUTO_MY_CLIENT} accept \;\
add rule ip filter ipsec-fw-${PLUTO_REQID} oif ${PLUTO_INTERFACE} ipsec out reqid ${PLUTO_REQID} ip saddr ${PLUTO_MY_CLIENT} ip daddr ${PLUTO_PEER_CLIENT} accept \;\
add element ip filter ipsec_fw '{' ${PLUTO_REQID} : jump ipsec-fw-${PLUTO_REQID} '}'\;\
--8<---------------cut here---------------end--------------->8---
where static config would be:
map ipsec_fw {
typeof ipsec in reqid : verdict
flags interval
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
[...]
ct state established,related accept
ipsec out reqid vmap @ipsec_fw
ipsec in reqid vmap @ipsec_fw
}
I compiled modified sources and this works (in a way ;) )
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
