From: Florian Westphal <fw@strlen.de>
To: netfilter-devel@vger.kernel.org
Subject: [RFC] nftables: reverse path filtering for nft
Date: Sat, 10 Sep 2016 22:01:02 +0200 [thread overview]
Message-ID: <20160910200102.GA11377@breakpoint.cc> (raw)
Hi.
Linux has a builtin rp filter for ipv4, but not for ipv6.
xtables has rpfilter match for both ipv4 and ipv6.
nftables currently does not have such a feature.
Any idea on how specific or generic this should be for nft?
Current idea is to add 'fib' expression that initially supports
lookup of outinterface index for reply direction, i.e.:
nft ... fib reply oif ne 0 accept (found something)
nft ... fib reply oif eq 0 drop (no route)
nft ... fib reply oif eq eth0 (reply would be routed via eth0)
Problem is that we might need some options to influence/control
input to the fib lookup routines, e.g. if we want to consider
skb->mark or if we're only interested in routes via particular interface
(ipv6 needs this, this is what the --loose option does for -m rpfilter
in iptables).
Unfortunately, use of 'mark' results in grammar ambiguity in the parser.
What would work is this:
fib_expr : FIB STRING fib_args fib_type
{
$$ = fib_expr_alloc(&@$, $4, get_dir($2));
}
;
fib_type : OIF { $$ = NFT_FIB_OIF; }
;
fib_args : fib_arg
{
$<expr>$ = $<expr>0;
}
| fib_args fib_arg
;
fib_arg : MARK
{
$<expr>0->fib.use_mark = 1;
}
| LOOSE
{
$<expr>0->fib.loose = 1;
}
;
Which results in following syntax:
nft .. fib reply mark loose oif eq 0 drop # no route at all
nft .. fib reply mark oif eq 0 drop # no route via iif
nft .. fib reply oif eq 0 drop # no route via iif, do not use skb->mark
Other features that might make sense to implement for fib:
- query mtu on the route (maybe useful with future tcp option mangling
to create TCPMSS target equvalent...?)
- query what fib says about type of saddr/daddr (iptables -m addrtype match)
Main 'problem' is that I don't want to muck with the syntax later so
it should be flexible enough to cover other uses beside rpf.
What do others think?
next reply other threads:[~2016-09-10 20:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-10 20:01 Florian Westphal [this message]
2016-09-12 12:04 ` [RFC] nftables: reverse path filtering for nft Pablo Neira Ayuso
2016-09-12 12:21 ` Florian Westphal
2016-09-12 18:52 ` Pablo Neira Ayuso
2016-09-12 19:00 ` Florian Westphal
2016-09-12 19:14 ` Pablo Neira Ayuso
2016-09-12 19:19 ` Florian Westphal
2016-09-12 22:46 ` Florian Westphal
2016-09-14 17:45 ` Florian Westphal
2016-09-14 18:23 ` Arturo Borrero Gonzalez
2016-09-14 21:13 ` Florian Westphal
2016-09-14 22:00 ` Florian Westphal
2016-09-15 8:24 ` Arturo Borrero Gonzalez
2016-09-15 8:27 ` Arturo Borrero Gonzalez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160910200102.GA11377@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.