Re: Constraints on nft expressions and statements in inet ingress chains

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Frank Myhr <fmyhr@fhmtech.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Constraints on nft expressions and statements in inet ingress chains
Date: Mon, 8 Feb 2021 17:32:14 +0100	[thread overview]
Message-ID: <20210208163214.GG16570@breakpoint.cc> (raw)
In-Reply-To: <5959d455-c6b8-acaf-bc1c-9500b4a2716c@fhmtech.com>

Frank Myhr <fmyhr@fhmtech.com> wrote:
> 
> Some clearly make no sense, like:
> - anything involving an output interface

yes.

> - anything related to conntrack (I think)

Depends, conntrack info may be present for loopback case.

> - packet mark (I think)

Will be present for loopback and it can be set/assigned.

> Not sure about:
> - reject statement (pretty sure not)

Should work in recent kernels.

> - ah & esp header expressions?

Why would that not worl?  This is just like tcp/udp header access.

> - raw payload expression?

Same.

> - extension header expressions?

Same.

> Seem to work, but are they a good idea this early in processing?:
> - tcp header & udp header expressions? If IP datagrams are fragmented, these
> matches will miss all but first fragment, correct? (Since defragmentation
> doesn't happen until prerouting?)

Yes, access to l4 header will not work for subsequent fragments.

> My general impression is that inet ingress filtering on L3 IPv4 and IPv6
> header expressions like ip saddr, ip daddr is okay, but trying to reach into
> L4 so early will be problematic...

Yes, it might not work in fragmentation case.

next prev parent reply	other threads:[~2021-02-08 16:32 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-08 15:49 Constraints on nft expressions and statements in inet ingress chains Frank Myhr
2021-02-08 16:32 ` Florian Westphal [this message]
2021-02-08 18:01   ` Frank Myhr

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210208163214.GG16570@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=fmyhr@fhmtech.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.