WTF, over

All of lore.kernel.org
 help / color / mirror / Atom feed

* WTF, over
@ 2020-05-23 22:02 Stephen Satchell
  2020-05-24 11:09 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Satchell @ 2020-05-23 22:02 UTC (permalink / raw)
  To: Linux Netfilter Users List

This statement works with --check, but this is what I get when I try to 
insert the rule:

> [root@fiber-fw Desktop]# nft add rule inet filter output meta oif enp1s0 jump wan_output
> Error: Could not process rule: Operation not supported
> add rule inet filter output meta oif enp1s0 jump wan_output
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Doing a "list ruleset", I find this present in inet filter:

> 	chain wan_output {
> 		fib saddr . iif type broadcast counter packets 0 bytes 0 drop
> 		fib saddr . iif type multicast counter packets 0 bytes 0 drop
> 		fib saddr . iif type blackhole counter packets 0 bytes 0 drop
> 		fib saddr . iif type unreachable counter packets 0 bytes 0 drop
> 		fib saddr . iif type prohibit counter packets 0 bytes 0 drop
> 	}

Interestingly, a similar expression works just file in the input context:

> 	chain input {
> 		type filter hook input priority 0; policy drop;
> 		iif "enp1s0" jump wan_input
> 		iif "enp2s0" jump lan_input


Documentation provides NO clue as to what is wrong with the first 
statement statement.

Can anyone tell me what is going on?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: WTF, over
  2020-05-23 22:02 WTF, over Stephen Satchell
@ 2020-05-24 11:09 ` Pablo Neira Ayuso
  2020-05-24 15:03   ` Stephen Satchell
  2020-05-24 15:05   ` WTF, over (reformatted) Stephen Satchell
  0 siblings, 2 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-24 11:09 UTC (permalink / raw)
  To: Stephen Satchell; +Cc: Linux Netfilter Users List

On Sat, May 23, 2020 at 03:02:14PM -0700, Stephen Satchell wrote:
> This statement works with --check, but this is what I get when I try to
> insert the rule:
> 
> > [root@fiber-fw Desktop]# nft add rule inet filter output meta oif enp1s0 jump wan_output
> > Error: Could not process rule: Operation not supported
> > add rule inet filter output meta oif enp1s0 jump wan_output
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> Doing a "list ruleset", I find this present in inet filter:
> 
> > 	chain wan_output {
> > 		fib saddr . iif type broadcast counter packets 0 bytes 0 drop
> > 		fib saddr . iif type multicast counter packets 0 bytes 0 drop
> > 		fib saddr . iif type blackhole counter packets 0 bytes 0 drop
> > 		fib saddr . iif type unreachable counter packets 0 bytes 0 drop
> > 		fib saddr . iif type prohibit counter packets 0 bytes 0 drop
> > 	}
> 
> Interestingly, a similar expression works just file in the input context:
> 
> > 	chain input {
> > 		type filter hook input priority 0; policy drop;
> > 		iif "enp1s0" jump wan_input
> > 		iif "enp2s0" jump lan_input
> 
> 
> Documentation provides NO clue as to what is wrong with the first statement
> statement.
> 
> Can anyone tell me what is going on?

fib address type with...

* iff can only be used in prerouting, input and forward.
* oif can only be used in output, postrouting and forward.

I assume your 'output' chain is something like:

        type filter hook output priority 0; policy drop;

Anyway, I agree error reporting and documentation can do better there.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: WTF, over
  2020-05-24 11:09 ` Pablo Neira Ayuso
@ 2020-05-24 15:03   ` Stephen Satchell
  2020-05-24 16:36     ` Pablo Neira Ayuso
  2020-05-24 15:05   ` WTF, over (reformatted) Stephen Satchell
  1 sibling, 1 reply; 5+ messages in thread
From: Stephen Satchell @ 2020-05-24 15:03 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Linux Netfilter Users List

On 5/24/20 4:09 AM, Pablo Neira Ayuso wrote:
> fib address type with...
> 
> * iff can only be used in prerouting, input and forward.
> * oif can only be used in output, postrouting and forward.
> 
> I assume your 'output' chain is something like:
> 
>          type filter hook output priority 0; policy drop;
> 
> Anyway, I agree error reporting and documentation can do better there.

Interesting.  Here is the complete fragment, as tested on a virtual machine:

> table inet filter {
>     chain wan_output {
>         fib saddr . iif type broadcast   counter drop # no non-unicast
>        #fib saddr . iif type anycast     counter drop (unicast)
>         fib saddr . iif type multicast   counter drop 
>         fib saddr . iif type blackhole   counter drop 
>         fib saddr . iif type unreachable counter drop 
>         fib saddr . iif type prohibit    counter drop
>         }
>     chain output {
>         type filter hook output priority 0; policy accept;
>         meta oif "lo" accept
>         meta oif "ens3" goto wan_output
>         }
>     }

The output when I try to load this is:
> [root@localhost Desktop]# nft  -f x.nft
> x.nft:13:9-39: Error: Could not process rule: Operation not supported
>         meta oif "ens3" goto wan_output
>         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

*  meta oif is being used in the output chain
*  replace 'goto wan_output' with drop generates no message
*  "nft ruleset" echos the rules properly with "drop"

What is so special about the jump action?


So it appears there is a disconnect when the jump target is specified.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: WTF, over
  2020-05-24 15:03   ` Stephen Satchell
@ 2020-05-24 16:36     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-24 16:36 UTC (permalink / raw)
  To: Stephen Satchell; +Cc: Linux Netfilter Users List

On Sun, May 24, 2020 at 08:03:00AM -0700, Stephen Satchell wrote:
> On 5/24/20 4:09 AM, Pablo Neira Ayuso wrote:
> > fib address type with...
> > 
> > * iff can only be used in prerouting, input and forward.
> > * oif can only be used in output, postrouting and forward.
> > 
> > I assume your 'output' chain is something like:
> > 
> >          type filter hook output priority 0; policy drop;
> 
[...]
> > table inet filter {
> >     chain wan_output {
> >         fib saddr . iif type broadcast   counter drop # no non-unicast
> >        #fib saddr . iif type anycast     counter drop (unicast)
> >         fib saddr . iif type multicast   counter drop         fib saddr
> > . iif type blackhole   counter drop         fib saddr . iif type
> > unreachable counter drop         fib saddr . iif type prohibit
> > counter drop
> >         }
> >     chain output {
> >         type filter hook output priority 0; policy accept;
> >         meta oif "lo" accept
> >         meta oif "ens3" goto wan_output
> >         }
> >     }
> 
> The output when I try to load this is:
> > [root@localhost Desktop]# nft  -f x.nft
> > x.nft:13:9-39: Error: Could not process rule: Operation not supported
> >         meta oif "ens3" goto wan_output
> >         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This happens because you cannot use 'fib saddr . iif type' from your
wan_output chain.

The error is reported, later on, when you add this rule:

        meta oif "ens3" goto wan_output

because the jump/goto validates your 'wan_output'. This validation
fails because your 'wan_output' chain contains rules with:

        fib saddr . iif type

which is not supported in the output path.

You can only use 'fib saddr . iif type' from prerouting, input and
forward.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: WTF, over (reformatted)
  2020-05-24 11:09 ` Pablo Neira Ayuso
  2020-05-24 15:03   ` Stephen Satchell
@ 2020-05-24 15:05   ` Stephen Satchell
  1 sibling, 0 replies; 5+ messages in thread
From: Stephen Satchell @ 2020-05-24 15:05 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Linux Netfilter Users List

On 5/24/20 4:09 AM, Pablo Neira Ayuso wrote:
> fib address type with...
> 
> * iff can only be used in prerouting, input and forward.
> * oif can only be used in output, postrouting and forward.
> 
> I assume your 'output' chain is something like:
> 
>          type filter hook output priority 0; policy drop;
> 
> Anyway, I agree error reporting and documentation can do better there.

Interesting.  Here is the complete fragment, as tested on a virtual machine:

> table inet filter {
>     chain wan_output {
>         fib saddr . iif type broadcast   counter drop # no non-unicast
>        #fib saddr . iif type anycast     counter drop (unicast)
>         fib saddr . iif type multicast   counter drop
>         fib saddr . iif type blackhole   counter drop
>         fib saddr . iif type unreachable counter drop
>         fib saddr . iif type prohibit    counter drop
>         }
>     chain output {
>         type filter hook output priority 0; policy accept;
>         meta oif "lo" accept
>         meta oif "ens3" goto wan_output
>         }
>     }

The output when I try to load this is:
> [root@localhost Desktop]# nft  -f x.nft
> x.nft:13:9-39: Error: Could not process rule: Operation not supported
>         meta oif "ens3" goto wan_output
>         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

*  meta oif is being used in the output chain
*  replace 'goto wan_output' with drop generates no message
*  "nft ruleset" echos the rules properly with "drop"

What is so special about the jump action?


So it appears there is a disconnect when the jump target is specified.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-05-24 16:36 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-05-23 22:02 WTF, over Stephen Satchell
2020-05-24 11:09 ` Pablo Neira Ayuso
2020-05-24 15:03   ` Stephen Satchell
2020-05-24 16:36     ` Pablo Neira Ayuso
2020-05-24 15:05   ` WTF, over (reformatted) Stephen Satchell

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.