nftables: origin sport after dstnat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

I want to use nftables along with Docker. Docker itself does not
support nftables, so I use the nf_tables backend for iptables. This
way, Docker uses iptables commands to setup all needed chains and
rules. So far so good.

The following chains will be setup by Docker (I shorten it for the
relevant information):

table ip filter {
	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 6 bytes 360 jump DOCKER-USER
	}
	chain DOCKER {
		iifname != "docker0" oifname "docker0" ip daddr 172.17.0.2 tcp dport 5000 counter packets 0 bytes 0 accept
	}
	chain DOCKER-USER {
	}
}
table ip nat {
	chain DOCKER {
		iifname "docker0" counter packets 0 bytes 0 return
		iifname != "docker0" tcp dport 8448 counter packets 6 bytes 360 # xt_DNAT
	}
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		# xt_addrtype counter packets 6 bytes 360 jump DOCKER
	}
}

Here I started a Docker container with "-p 8448:5000" (map the host
port 8448 to the docker internal port 5000). If a package enters, it
will land in the PREROUTING NAT chain (dstnat), jump to the DOCKER
chain and here the dnat happen. This is all set up from the Docker
daemon itself. The only way for me to intercept traffic is the
DOCKER-USER chain (FORWARD FILTER), which will be created by Docker
and will be put on top of all other rules in this chain.

Now I want to stablish a whitelist for host ports. Meaning: I want
to control which ports are "open" from the outside, regardless what
Docker is doing.

My first idea was to use the DOCKER-USER chain and add a simple rule
which will drop all traffic which is not coming from the whitelisted
port list:

tcp sport != {
  8448,
} drop

The problem is that the DOCKER-USER chain is behind the dnat, so I
can't use "sport", because it is already a random port from the dnat :(

With a trace in that chain, I got this (sport is 57484, a random port)
and the filter rule does not work.

trace id 2a3fb2fd ip filter DOCKER-USER packet: iif "eth0" oif "docker0" ether saddr 52:54:00:8e:37:c7 ether daddr 52:54:00:9c:e5:b7 ip saddr 192.168.122.1 ip daddr 172.17.0.2 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 57921 ip length 60 tcp sport 57484 tcp dport 5000 tcp flags == syn tcp window 64240 
trace id 2a3fb2fd ip filter DOCKER-USER rule tcp sport != 8448
counter packets 6 bytes 360 drop (verdict drop)

Is there a way to somehow access the origin sport (8448 in my case), so
I can filter for it in the FORWARD chain?

Thanks!
Aaron

Attachment: pgpn9uLwbC333.pgp
Description: OpenPGP digital signature

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux