Re: Possible to check if ip daddr belongs to an interface in the prerouting chain?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Basically, what it does is lookup at "local" routing table

I checked my “local” routing table, and my wan IP was there. But somehow, given the following rule, packets with wan IP as the destination still got tproxied:

chain foo {
  type filter hook prerouting priority mangle; policy accept;
  fib daddr . iif type { local, broadcast, multicast } return
  meta nfproto ipv4 meta l4proto { tcp, udp } tproxy ip to 127.0.0.1:123 meta mark set 1
}

I also tried "type == { … }", didn’t help.

The official wiki mentioned:
# only accept packets to addresses configured in the *same* interface, eg
nft add rule x prerouting fib daddr . iif type local accept

and the man gave this example:
# drop packets to address not configured on *incoming* interface
filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop

Which seems to suggest “local” only matches packets whose destination interface must be the same one they originate from? In the lan -> wan case, that’s not the case so I guess it doesn’t match?

I wonder if there is a fib type or some other kind of rules that can match packets destine to local interfaces?

> On Apr 28, 2023, at 6:05 PM, Serg <seentr@xxxxxxxxxxxx> wrote:
> 
> On 4/28/23 11:59, Glen Huang wrote:
>>> nft add rule x prerouting fib daddr . iif type local accept
>> “local" is very close to what I’m after, but from my test, it doesn’t match. The linked wiki seems to suggest that “local” means the same interface a packet originates from?
>> I wonder if there is an address type that denotes any IP that is hosted on local interfaces.
> 
> I am using the following ruleset to bypass nf_conntrack for traffic which neither originating from local IP nor destined to a locally configured IP addresses:
> 
>> table inet nftables_svc {
>>  chain untrack_in {
>>    type filter hook prerouting priority raw - 10; policy accept;
>>      fib daddr . iif type != local notrack
>>  }
>>  chain untrack_out {
>>    type filter hook output priority raw + 10; policy accept;
>>    fib saddr . oif type != local notrack
>>  }
>> }
> Basically, what it does is lookup at "local" routing table - you may inspect it yourself using this command:
>> ip route list table local
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux