From: Florian Westphal <fw@strlen.de>
To: yves baumes <ybaumes@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Consolidating rules
Date: Mon, 3 Jan 2022 15:56:03 +0100 [thread overview]
Message-ID: <20220103145603.GB22312@breakpoint.cc> (raw)
In-Reply-To: <CAF1QswjecENZyrGsCtot4dH1xPmDKyG6csk00O7+A6stPP_Lrg@mail.gmail.com>
yves baumes <ybaumes@gmail.com> wrote:
> Here is my problem: when I create a table to let DHCP and DNS requests
> pass through, my packets are still getting dropped.
> ```
> # nft list ruleset
> table inet mytable {
> chain inbound {
> ip protocol . th dport vmap { tcp . 22 : accept, tcp . 53 : accept,
> udp . 53 : accept, udp . 67 : accept }
> }
>
> chain ssh_inbound {
> tcp dport 22 accept
> }
>
> chain input {
> type filter hook input priority filter - 1; policy drop;
> ct state vmap { invalid : drop, established : accept, related : accept }
> iifname vmap { "eth2" : jump inbound, "eth2.103" : jump inbound,
> "eth2.3163" : jump inbound }
> iifname vmap { "eth0" : jump ssh_inbound }
> iifname "lo" accept
> iifname "tun0" tcp dport 22 accept
> }
> [...]
> ```
>
> So I read about that issue in the wiki:
> https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority
> . Which states that the default filter/INPUT chain will be run either
> before or after my own chain (depending on the priority I set) and
> will drop the packets silently, since its default policy is DROP and
> no rules match the packets in this filter/INPUT chain.
> Indeed if I change the default policy of filter/INPUT to ACCEPT, my
> DHCP/DNS packets are getting accepted.
They are accepted regardless, the policy is not relevant for them.
[..]
> Second solution would be to let the default filter/INPUT policy to
> DROP and centralize my configuration into the filter/INPUT chain,
Thats what you are doing?
In the ruleset you provided there is only on base chain (input),
so 'chain inbound' is called in the context of the input base chain.
> So how would you tackle this issue, that is: letting the packets go
> through while still having a default policy to DROP? Is there a
> simpler way that I did not find?
If the 'accept policy' solves your problem, your ruleset is tossing
packets that it should not be dropping.
For example, your ruleset breaks ipv6 since it discards icmpv6
neighbour solicitiation packets.
prev parent reply other threads:[~2022-01-03 14:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-29 14:09 Consolidating rules yves baumes
2022-01-03 14:56 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220103145603.GB22312@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter@vger.kernel.org \
--cc=ybaumes@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.